Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:20 AM
Connect Directly

Pandemic Could Accelerate Passwordless Authentication

As we celebrate another World Password Day, security pros are hopeful that when we move out of the stay-at-home period, companies will continue to focus on digital technologies - and ditching passwords.

For the past few years on World Password Day we've wondered why we're celebrating passwords given the reality that more than 80% of security breaches are caused by weak passwords and credentials, according to data from the highly-regarded Verizon data breach report.

Today, as thousands of companies have been forced to work remotely because of COVID-19 stay-at-home orders, the question this year is whether the pandemic will result in the move to passwordless authentication solutions en masse.

Brad Brooks, CEO of OneLogIn, says the COVID-19 work-from-home experience will move many companies forward. But even if they don't deploy new authentication technologies right away, he says, businesspeople recognize that something has to change.

"The COVID-19 period has accelerated digital adoption," Brooks says. "It's like someone jammed the accelerator and jumped into the highest gear."

Frank Dickson, a program vice president who covers security for IDC, says COVID-19 has forced companies to rethink the way they manage network access. VPNs were fine when a small percentage of workers needed to access the network remotely. But with some companies going from a couple of hundred remote workers to more than 10,000 practically overnight, Dickson says it makes no sense to spend five times or more on VPNs.

"If I'm just using Office 365 or Salesforce in the cloud, why do I need VPN access?" Dickson says. "By going with passwordless authentication, I give users a better experience, deliver greater security, and decrease the number of people I have accessing the network. Companies can then use VPNs for the people who really need network access."

Bil Harmer, CISO and chief evangelist at SecureAuth, says people were just waiting until there was a compelling enough event to focus more on digital technologies and adoptiong authentication that doesn't rely on passwords. "When the stay-at-home period is over, people will want to work more from home," Harmer says. "Passwordless is the most secure way to authenticate users at scale." 

And TJ Jermoluk, CEO of recently launched Beyond Identity, says moving off passwords has been a top 3 objective for CIOSs for the past several years. 

"Our goal is to make it so passwords are no longer needed," he says. "A person can just pick up the phone and start accessing apps," says Jermoluk, who adds that with Beyond Identity's approach, the endpoint device acts as its own X.509 certificate authority. The user's private keys get stored locally and the app executes authentication from the cloud, or via a company's existing single sign-on app.

Same Story, New Chapter?

The concept of passwordless authentication isn't new. The business case has been there for several years: according to Gartner, between 20% to 50% of all help desk calls are for password resets, while Forrester Research's oft-quoted stat says that the average help desk labor cost for a single password reset is about $70. 

Jermoluk says by automating password resets, companies can save on help desk costs, plus pour some of that money into automated help desk applications.

OneLogIn's Brooks points out it also puts businesses on a path to automating new users into the system and letting them access apps without passwords. The problem in the past was that many business processes couldn't operate remotely without running them through the VPN. But as companies move more applications out to the cloud, they are less tied to VPNs and then can opt to deploy passwordless authentication.

There are also two other important benefits, compliance and the ability to use any device. Passwordless systems from companies such as Beyond Identity, OneLogIn, and SecureAuth, let users authenticate via fingerprint or facial recognition. They collect detailed user data such as device, location, time, application, and purpose. All of this data helps organizations comply with regulations such as the General Data Protection Regulation (GDPR) and California's Consumer Privacy Act. And with passwordless authentication, workers are free to use their own devices because there's a secure connection between the application and the device.

"Passwordless authentication is also more secure," says Brooks. "Brute force attacks don't work and phishing attacks are more difficult to do." 

Interestingly, recent research shows some contradictions in how users perceive biometrics and passwordless options. SecureAuth released a report this week that found while only one in three consumers are comfortable sharing their biometric data, a full 51% say they are already using biometrics. Some of the leading applications include phone login, computer login and using a TSA ID at the airport.

"I've been using the TSA ID at the airport for some time," says SecureAuth's Harmer. "A lot of people can expense the app at work, but I've seen across the board that you can convince people to use biometrics." 

Eliminating the need for passwords may come as more companies realize the inherent weakness of running their systems on passwords. OneLogIn reports today that nearly 1 in 5 respondents in its global survey have shared their work device password with either their spouse or child, potentially exposing corporate data.

Francois Lasnier, vice president of access management at Thales, adds that companies need to think of passwordless authentication as the starting point. Organizations need to move to what he calls "modern access management," where identity management systems make use of all the metadata on a device to decide whether to grant a device access.

"When a user asks for access, the system can either grant access, deny access, or trigger a second factor of authentication where the user has to prove who they say they are."

Related Content:

Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/17/2020 | 7:20:51 AM
True cost of passwords and the future of the passwordless enterprise
Such an important piece! We have been investigating and writing about the poor use of passwords on our blog. Adding to the above that according to Forrester, 25% to 40% of all help desk calls are due to password problems or resets-which ends up to be an extremely costly problem, as organizations end up paying twice – for the lost productivity time of the forgetful employee, as well as for the time of the support desk staff. In 2017, In a single month, Microsoft had to reset 686,000 passwords for employees, resulting in support expenses of over $12 million! At Secret Double Octopus we recognised the problem years ago and are eliminate passwords across the organization with an easy and friendly biometric mobile authentication. 

COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...