More Companies Move Toward Passwordless Authentication
More companies are adopting passwordless authentication as security leaders move away from traditional passwords and outdated multi-factor authentication.
It's safe to say that no one is crazy about passwords. For chief information security officers, it's a nightmare when employees leave lists of passwords on their desks or write them on Post-it notes on their computers. For workers, entering multiple passwords to access different devices and resources is a hassle.
Passwordless authentication technology is designed to address these issues, and the use of these tools is growing. A recent survey of 200 CISOs by Wakefield Research, sponsored by security vendor Portnox, revealed that a majority (92%) of security leaders said their organizations have implemented or are planning to implement passwordless authentication. This is expected to increase to 70% in 2024. CISOs cited improved employee productivity and improved user experience as the biggest benefits.
Passwordless authentication verifies user identity without the need for traditional passwords, using other methods like hardware tokens, biometrics, or mobile push notifications. This offers potential benefits such as improved security and a better user experience.
Training service provider Universal Technical Institute has started using Microsoft's Passwordless platform, "and as we've adopted it, we've seen the benefits quickly: reduced password resets, fewer service desk tickets, and an earlier start to the day," said Adrienne Detre, the company's senior vice president and CIO.
"The big impact is cultural," Detre said. "It shows we're serious about making technology lighter and more human again. Over the years, we've added so many systems and logins that the weight of technology has become a part of the job. This is one of the steps that helps remove that administrative friction and makes the ecosystem feel simpler and more connected."
Detre said it's not just about security, but also about the user experience. "Every password reset or lockout slows people down and reduces their focus," he said. "Passwordless removes that hassle from the day and gives people time back. It's part of designing a connected ecosystem where security and usability work hand in hand."
MFA is losing its status as the 'gold standard' of cybersecurity
CTO Srikara Rao said that R Systems International, a digital product engineering services company, is gradually moving to a passwordless environment. "For us, it's not about chasing a trend; it's a direct response to the fact that our previous gold standard, multi-factor authentication, is becoming obsolete," Rao said. "The threat environment has changed beyond the capabilities of traditional MFA."
R Systems' move is driven by both security and business-enhancing factors. "Credential-based attacks remain the biggest threat, with a significant increase in phishing attempts and a number of near-misses, necessitating action," Rao said. "We want to promote solutions within our organization that are phishing-proof."
Rao added that, operationally, password resets have become quite expensive. Reset times can be costly due to direct labor costs and significant indirect costs like lost employee productivity and IT resource drain. Research firm Forrester estimates that a single password reset can cost $70, and this can add up quickly for larger companies.
In addition, it's crucial that companies adhere to compliance requirements like PCI 4.0, which requires users to re-authenticate everything they restart or access. "Passwordless authentication will make this easier," Rao said. "And finally, as we compete for top tech and cybersecurity talent, being a passwordless company demonstrates that we are a forward-thinking, security-first organization."
Bring-Your-Own-Device Policies Are a Reason
Healthcare service provider Diversus Health is also moving toward passwordless authentication, using the technology as certificate-based network access control.
"Due to the recent adoption of a bring-your-own-device policy, our internal annual HIPAA compliance audit identified a lack of network access control as one of our high-risk threats," said IT Security Administrator Neil Ford. "So, we started looking at solutions that could be used to mitigate the threat." Earlier this year, Diversus Health deployed a system from Portnox that uses certificate-based authentication to verify device identities. "We deploy certificates through a cloud-based endpoint management solution, so verification with Portnox is transparent to staff," said Ford.
Ford said the solution has effectively reduced the risk of unknown devices connecting to the company's network and accessing internal resources.
One of the key factors in successfully adopting passwordless authentication is effectively communicating security changes to staff, said Rao.
“We quickly realized we had to sell the ‘why’ to our employees.”
Rao said companies should view passwordless authentication not as another security mandate, but as a direct benefit to employees through reduced friction, faster logins, and the elimination of password resets. Before making this change, R Systems conducted short, interactive training sessions to get people comfortable with access tools like fingerprint identification on their phones.
“I can’t emphasize enough the importance of user education by the organization,” Rao said. “It’s a huge difference between a successful deployment and a shelfware investment.”
Rao said R Systems’ passwordless strategy isn’t tied to any one vendor, but is built on the FIDO2 and WebAuthn open standards, which “gives us the flexibility to choose the right tool for every risk profile.” “Special users like administrators, developers, and executives use FIDO2 hardware security keys, while the majority of the workforce relies on passkeys integrated with device biometrics like Windows Hello and Face ID.”
The company is still observing the results of the transition to passwordless authentication and working to ensure it works best for everyone.
“We’ve seen significant improvements in our employee experience, including faster logins and a significant reduction in password-related help desk tickets,” Rao said. “Most importantly, passwordless authentication has become the foundation of our zero-trust architecture, giving us a strong, high-assurance identity layer that provides secure access regardless of user or device location.”
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
