Widespread adoption of passwordless authentication is still a few years away, a panel discussion observing World Password Day has been told.
“We are making quite a bit of progress,” Vishnu Allaparthi, a Texas-based partner in PwC’s cyber risk and regulatory practice, told a webinar sponsored by authentication provider Okta. “In my conversations, clients consistently want to know how they can start their journey to a passwordless future. There is a very active vendor ecosystem around passwordless solutions. In the next three to five years we will make tremendous progress in terms of making passwordless your first option in authentication, and then maybe having passwords as a backup. ”
“In five to seven years, passwords will seem antiquated,” he predicted.
Andrew Shikiar, executive director of the FIDO Alliance, an industry association that creates open and free authentication standards to help reduce reliance on passwords, said the tech industry and enterprises are getting smarter about passwords. “They’re moving away from well-intended but misguided password policies that have led to either simpler passwords or passwords on sticky notes, and they’re working towards forms of authentication that are not dependent on passwords or knowledge-based credentials at all.”
Every major operating platform vendor now supports open standards for passwordless authentication, standards such as biometrics, he noted, so virtually every computing device has the capability to support passwordless authentication.
This week, he added, Google started rolling out support for passkeys — such as a fingerprint, a face scan or a screen lock PIN — for access across Google Accounts on all major platforms. In an interview, Shikiar called that a “huge” advance.
However, Okta CIO Alvina Antar noted many organizations, employees, and consumers like what they’re familiar with — passwords.
“Transformation is hard,” she said during the webinar. “If it was easy we wouldn’t be so reliant on the old ways.” To some it seems the passwordless journey “is out of reach,” she added. “Customers don’t understand the path to achieving a passwordless experience. So we need to meet where customers are in their journey, and get them past this conception that it’s out of reach.”
What consumers and organizations have to understand, she said, is it will take phased implementation.
Here’s evidence of the obstacle: 1Password did a recent survey of 2,000 adults in North America which found that only 25 per cent of respondents had heard of “passwordless.” Yet 75 per cent were open to using passkeys such as biometrics for logging in, once shown an example of them. (The report is here. Registration is required)
“Passwords have been around for 60 years,” Shikiar noted, having first been created in 1960 at the Massachusetts Institute of Technology (MIT) when shared access to a mainframe was created. “The fact that we’re using technology that’s 20 years old let alone 60 years old is problematic” from a security standpoint. “What we’ve done over the past few years is layer on factors on top of a password — 2FA (two factor authentication), email notifications — but most are phishable in their own right.”
Passkeys are unphishable, possession-based primary authentication factors that provide MFA-type security, he said, on devices that users have at their fingertips. “It is inevitable that passwords will be left in the rearview mirror.”
Today’s data breaches, he said, are “massive hauls of accounts at once — and often-times they’re lower value accounts … and they all come back to credentials. So if you get rid of knowledge-based credentials [memorized passwords] you get rid of that problem.”
Traditionally World Password Day has been an opportunity to remind people at work and home to avoid simple passwords, to not re-use passwords on more than one website, to use a password manager to oversee their growing lists of passwords and to adopt multifactor authentication (MFA) where it’s offered.
More recently, the cybersecurity industry has been urging CIOs and CISOs to switch to phishing-resistant authentication systems and, if possible, passkeys. In addition, for select employees — senior management, IT staff and those in the finance department — the use of passwordless solutions like USB-based keys (for example, Yubikeys or Google Titan keys) and secure ID tokens.
Even with companies like Microsoft, Apple, and Google announcing support for passwordless authentication solutions, it will take many more years for applications, services, and systems to adopt and modernize to the new protocols. said Carla Roncato, vice-president of identity at WatchGuard Technologies. “For this reason, on this World Password Day, we should all pause and think about how we can adopt better password hygiene, do away with outmoded password management practices, and leverage modern authentication technologies to keep our accounts and identity information safer online.”
For maximum protection, educating your employees about the significance of password safety is critical, said Neil Jones, Egnyte’s director of cybersecurity evangelism, especially reminding them that passwords should never be shared with anyone, including their closest business colleagues. Finally, family members should never be permitted to access your business devices.
To better bolster password effectiveness, passwords should be updated regularly, said Tyler Moffitt, senior security analyst and community manager at OpenText Cybersecurity. Many people use the same passwords for an extended period, he noted, which increases the risk of exposure or hacking, or short, simple passwords. To check the strength of their passwords he recommends users input their passwords into https://haveibeenpwned.com/ to see if they’ve been stolen.
Stuart Wells, CTO of Jumio, said World Password Day serves as a reminder to organizations that, although passwords were reliable in the past, it is time to bolster security solutions with more secure and robust authentication methods, like biometric authentication, to ensure that the user accessing an account is the authorized user.
Combining strong passwords with data governance policies and a technology solution to enforce those policies is an unbeatable approach to data protection and security, said Ian Leysen, CEO and CSO of Datadobi. In doing so, businesses can safeguard their sensitive information, especially from the growing threat of cyber-attacks, consequently enabling them to comply with regulations, as well as protect their intellectual property, reputation, and bottom line.