The cause of breaches has been well-known since the landmark "2017 Verizon Data Breach Investigations Report," which revealed that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
Not much has changed in the past couple of years. Verizon's 2019 report confirms the stolen and/or weak passwords number still comes in at around 80%, with 29% of breaches caused by stolen credentials.
So once again we ask: What will it take to get the industry to move off of passwords? And what's stopping organizations from moving forward?
'Our Best Bet' for Ending Passwords
"Organizations know that too many people use the same passwords over and over again. It's a bad practice, but much of it is because of inertia. There are just too many other things to do," says Rik Turner, a principal analyst at Ovum. "Moving forward, FIDO [Fast Identity Online authentication] is worth a look since it's got many of the big consumer brand names behind it. It's really become the best bet for the future of passwordless authentication."
While it's true the industry has been slow to change, a closer look reveals that much progress has been made in 2019. For example, Microsoft and Google now support passwordless standard FIDO2, and Apple made it clear it intends to support FIDO2 for its Safari browser. In another important move, Apple says iOS 13.3 (likely available early in 2020) will support popular FIDO-compliant authentication devices like the YubiKey.
On the consumer side, companies such as eBay have had their developers build their sites with the WebAuthn FIDO2 spec, which allows for passwordless authentication using biometrics, adds Andrew Shikiar, executive director and CMO of the FIDO Alliance. As of now, Android users running Google Chrome 75 can access eBay by authenticating with either a fingerprint or facial scan, whichever the device supports.
Intuit, which also deployed FIDO passwordless authentication for its mobile services, found its customers successfully authenticated 99.9% of the time, compared to 80% to 85% for text messages. Sign-in time was also reduced by 78%. Shikiar says many more companies will offer passwordless authentication on their websites in the months ahead.
"We're seeing that organizations are realizing that passwords are a liability," he says. "With FIDO, organizations can improve the user experience, increase security, and reduce risk as well as time to authentication."
Matthew Ulery, chief product officer at SecureAuth, says organizations will change based on a combination of four important factors: an important industry peer (i.e., a bank or insurance company) gets breached and they don't want to be the next victim; a new CEO or top executive comes into the organization and dictates that the company will move toward passwordless authentication; an organization realizes it finally has to do something to stop the ability of synthetic IDs to steal passwords; and, finally, customers push for change.
"Customers are pushing back," Ulery says. "It's now so easy to do fingerprint-reading or facial recognition on a smartphone that customers will want to know why they can't move to a passwordless solution."
There's also an economic argument for moving to passwordless authentication. According to Frank Dickson, a program vice president at IDC who covers security issues, employees, on average, call the corporate help desk to reset their passwords up to twice a year. Each call costs between $30 and $40, so right off the bat passwordless authentication can help cut down on costs. In addition, because users are authenticating to applications and not the corporate network with passwordless authentication, companies can reduce calls related to help with their VPNs -- and even eliminate their costs of managing a corporate VPN.
"Companies know they need to go passwordless, but they also need to find the money to do it," Dickson says. "When they realize they can eliminate cost and add security by going passwordless, things will start to move. I expect that 2020 will be a year that much of this comes together."
(Continued on next page)
Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio