Cybersecurity In-Depth

The Edge

Mega Breaches Are Forcing Us to a Passwordless World. Are We Finally Ready?

Passwordless authentication advocates see 2020 as a potential turning point year for the technology. But can the industry get off the dime?

Companies Gear for New Deployment Round
Chase Cunningham, a principal analyst at Forrester who focuses on security issues, adds that many companies have had bad experiences with some of the evolutionary steps of security technology.

"After organizations were burned by [data loss prevention], many are hesitant to try again," Cunningham says. "In many ways, antiquated processes are a big part of the problem -- the reason why many organizations can't move forward. But the technology has become much easier to both deploy and use."

Cunningham points to MobileIron's Zero Sign-On technology in which the smartphone becomes an authenticator.

"People are used to having a phone in their hands, which is why I think we're going to see a lot more done around passwordless authentication and ease of use," he says.

Brian Foster, senior vice president of product management at MobileIron, points out that the company primarily focuses on the enterprise market where people access applications to do their jobs. Up until now, even the best single sign-on applications require a user name and password.

With Zero Sign-On, Foster says, users don't sign on to the corporate network with a username and password; they sign on to applications using the passwordless app on their phone. The technology works on both iOS and Android phones, and users can authenticate on a MacBook Pro or Windows machine using their phones.

So it's pretty clear that progress has been made and that security pros are focused on eliminating passwords. An IDG report released this past summer found security leaders estimated they could reduce the risk of breaches by almost half (43%) simply by eliminating passwords. And the vast majority of security pros (86%) said they would eliminate passwords if they could.

"Passwords continue to be a big problem, and phishing is a big problem in the enterprise," says Foster. "We recognize that many organizations are looking for ways to reduce their dependency on passwords."

Shikiar of the FIDO Alliance points out that nobody claims all of these passwordless efforts will completely solve the problem the industry has with hackers and breaches.

"What we're saying is that these massive scalable breaches can be contained," he says. "Hackers will learn to hack through the biometrics, but all the biometrics will be localized on the device. There will be no centralized database where hackers can steal thousands of usernames and passwords."

Look for several companies to have a passwordless authentication story at the upcoming RSA Conference in February in San Francisco, Shikiar says. The FIDO Alliance also has its Authenticate 2020 show in June that will focus on bringing together industry players to promote and learn more about passwordless authentication.

So will passwordless authentication have a breakthrough in 2020? Don't expect miracles, but do expect it is going to be a major topic of discussion in the year ahead. Organizations may have to slow things down a bit and figure out how they can become less dependent on passwords.

Related Content: