It only took one employee’s stolen password to trigger the Colonial Pipeline ransomware attack last year, disrupting fuel supplies to the southeastern US. And yet, over half of organisations rely on passwords as their primary authentication method. With global cyberattacks at an all-time high, is it finally time to move on? This report looks at the state of passwordless security.
- Stolen details up for grabs on the dark web, people still reusing their passwords, the proliferation of attack tools, and the vulnerability of remote and hybrid offices all point to the fact that passwords are more of a liability than a safeguard. But even after suffering an attack, 64% of businesses retain the same password-based approach.
- Multi-factor authentication is often seen as a useful tool to improve password insecurity, but most organisations say traditional multi-factor authentication methods are failing due to poor user experience (49%), difficulties integrating them into existing systems (48%) and cost (42%)
- Could passwordless multi-factor authentication technologies be a solution? The survey’s respondents think so, citing their stronger security and enhanced user experience, with reduced costs as a cherry on top.
- However, there is confusion about what “passwordless” means. Many solutions use biometric technology to unlock an underlying password, leaving it vulnerable to credential capture attacks.
- 34% of large companies in the finance and insurance sector - the most consistently attacked industry - have already turned to passwordless security.
- One way of going passwordless is using hardware key-based tools, but deployment and ongoing operations make them expensive.
- A solution going forward could be Fast Identity Online (FIDO) standards, which Mastercard, Apple, Microsoft, Samsung and many others support.
Why does this matter for businesses?
- Can you be certain that your employees don’t use post-it notes attached to their screens to remember their passwords?
- A common weakness that gets exploited time and time again are passwords. To counter that threat, organisations have used password managers and multi-factor authentication. But a passwordless experience might further eradicate inherent weaknesses in using passwords.