The cause of breaches has been well-known since the landmark "2017 Verizon Data Breach Investigations Report," which revealed that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
Not much has changed in the past couple of years. Verizon's 2019 report confirms the stolen and/or weak passwords number still comes in at around 80%, with 29% of breaches caused by stolen credentials.
So once again we ask: What will it take to get the industry to move off of passwords? And what's stopping organizations from moving forward?
'Our Best Bet' for Ending Passwords
"Organizations know that too many people use the same passwords over and over again. It's a bad practice, but much of it is because of inertia. There are just too many other things to do," says Rik Turner, a principal analyst at Ovum. "Moving forward, FIDO [Fast Identity Online authentication] is worth a look since it's got many of the big consumer brand names behind it. It's really become the best bet for the future of passwordless authentication."
While it's true the industry has been slow to change, a closer look reveals that much progress has been made in 2019. For example, Microsoft and Google now support passwordless standard FIDO2, and Apple made it clear it intends to support FIDO2 for its Safari browser. In another important move, Apple says iOS 13.3 (likely available early in 2020) will support popular FIDO-compliant authentication devices like the YubiKey.
On the consumer side, companies such as eBay have had their developers build their sites with the WebAuthn FIDO2 spec, which allows for passwordless authentication using biometrics, adds Andrew Shikiar, executive director and CMO of the FIDO Alliance. As of now, Android users running Google Chrome 75 can access eBay by authenticating with either a fingerprint or facial scan, whichever the device supports.
Intuit, which also deployed FIDO passwordless authentication for its mobile services, found its customers successfully authenticated 99.9% of the time, compared to 80% to 85% for text messages. Sign-in time was also reduced by 78%. Shikiar says many more companies will offer passwordless authentication on their websites in the months ahead.
"We're seeing that organizations are realizing that passwords are a liability," he says. "With FIDO, organizations can improve the user experience, increase security, and reduce risk as well as time to authentication."
Matthew Ulery, chief product officer at SecureAuth, says organizations will change based on a combination of four important factors: an important industry peer (i.e., a bank or insurance company) gets breached and they don't want to be the next victim; a new CEO or top executive comes into the organization and dictates that the company will move toward passwordless authentication; an organization realizes it finally has to do something to stop the ability of synthetic IDs to steal passwords; and, finally, customers push for change.
"Customers are pushing back," Ulery says. "It's now so easy to do fingerprint-reading or facial recognition on a smartphone that customers will want to know why they can't move to a passwordless solution."
There's also an economic argument for moving to passwordless authentication. According to Frank Dickson, a program vice president at IDC who covers security issues, employees, on average, call the corporate help desk to reset their passwords up to twice a year. Each call costs between $30 and $40, so right off the bat passwordless authentication can help cut down on costs. In addition, because users are authenticating to applications and not the corporate network with passwordless authentication, companies can reduce calls related to help with their VPNs -- and even eliminate their costs of managing a corporate VPN.
"Companies know they need to go passwordless, but they also need to find the money to do it," Dickson says. "When they realize they can eliminate cost and add security by going passwordless, things will start to move. I expect that 2020 will be a year that much of this comes together."
Companies Gear for New Deployment Round
Chase Cunningham, a principal analyst at Forrester who focuses on security issues, adds that many companies have had bad experiences with some of the evolutionary steps of security technology.
"After organizations were burned by [data loss prevention], many are hesitant to try again," Cunningham says. "In many ways, antiquated processes are a big part of the problem -- the reason why many organizations can't move forward. But the technology has become much easier to both deploy and use."
Cunningham points to MobileIron's Zero Sign-On technology in which the smartphone becomes an authenticator.
"People are used to having a phone in their hands, which is why I think we're going to see a lot more done around passwordless authentication and ease of use," he says.
Brian Foster, senior vice president of product management at MobileIron, points out that the company primarily focuses on the enterprise market where people access applications to do their jobs. Up until now, even the best single sign-on applications require a user name and password.
With Zero Sign-On, Foster says, users don't sign on to the corporate network with a username and password; they sign on to applications using the passwordless app on their phone. The technology works on both iOS and Android phones, and users can authenticate on a MacBook Pro or Windows machine using their phones.
So it's pretty clear that progress has been made and that security pros are focused on eliminating passwords. An IDG report released this past summer found security leaders estimated they could reduce the risk of breaches by almost half (43%) simply by eliminating passwords. And the vast majority of security pros (86%) said they would eliminate passwords if they could.
"Passwords continue to be a big problem, and phishing is a big problem in the enterprise," says Foster. "We recognize that many organizations are looking for ways to reduce their dependency on passwords."
Shikiar of the FIDO Alliance points out that nobody claims all of these passwordless efforts will completely solve the problem the industry has with hackers and breaches.
"What we're saying is that these massive scalable breaches can be contained," he says. "Hackers will learn to hack through the biometrics, but all the biometrics will be localized on the device. There will be no centralized database where hackers can steal thousands of usernames and passwords."
Look for several companies to have a passwordless authentication story at the upcoming RSA Conference in February in San Francisco, Shikiar says. The FIDO Alliance also has its Authenticate 2020 show in June that will focus on bringing together industry players to promote and learn more about passwordless authentication.
So will passwordless authentication have a breakthrough in 2020? Don't expect miracles, but do expect it is going to be a major topic of discussion in the year ahead. Organizations may have to slow things down a bit and figure out how they can become less dependent on passwords.