Passwords are still widely used despite their weaknesses. Easy to guess and reused legacy passwords are vulnerable to a wide variety of attacks and do not provide adequate security for sensitive systems and confidential information on their own. While it has been a long-standing goal to eliminate passwords, it finally sees real traction on the market.
“We’ve seen a slight increase in customer inquiries over the past year specifically referring to’ passwordless’ and an increase in inquiries about other passwordless approaches,” says Ant Allan, Gartner’s vice president. “By 2022, Gartner predicts that 60% of large and global enterprises and 90% of mid-sized enterprises will implement passwordless methods in more than 50% of usage cases — up from 5% in 2018.”
By its nature, passwordless authentication eliminates the issue of using weak passwords. It also provides users and organizations with benefits. It removes the need to remember or type passwords for users, resulting in improved user experience and customer experience. There is no longer a need for organizations to store passwords, leading to improved security, fewer breaches, and lower cost of support. Leaders in the management of security and identity and access (IAM) can implement a passwordless approach in two ways.
Biometric authentication is a common way of passwordlessness, such as touch ID. It is now widely used in mobile banking applications and is making its way into other applications for customers and businesses. Other options include password-free knowledge methods, such as pattern-based, one-time password methods; tokens, including phone-as – a-token modes, as a single factor; and Universal Authentication Framework (UAF) for Fast IDentity Online (FIDO), which enables password-free authentication via a local method to a device.
Current mainstream powerful authentication solutions are two-factor authentication (2FA) solutions that add to an existing password some sort of token. Recently, 2FA solutions that are passwordless by default have been launched by vendors, providing a single-step 2FA that can combine mobile push with a local PIN or device-native biometric mode to create sufficient confidence in medium-risk cases.
In a single-step 2FA, non-native biometric modes provide more, as they are independent of the power-on passcode of the phone, provide organizations with control over whose biometric data is stored, and typically provide better protection against attacks using images or recordings. When using mobile push to authenticate access from a smartphone, these advantages are critical.
Although the elimination of passwords from legacy implementations is not always possible, Gartner recommends that organizations prioritize the evaluation and implementation of more robust passwordless authentication methods. This will enhance the security and user experience of organizations.