Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

12:00 PM
Steve Zurier
Steve Zurier
Edge Articles
Connect Directly

Mega Breaches Are Forcing Us to a Passwordless World. Are We Finally Ready?

Passwordless authentication advocates see 2020 as a potential turning point year for the technology. But can the industry get off the dime?

Companies Gear for New Deployment Round
Chase Cunningham, a principal analyst at Forrester who focuses on security issues, adds that many companies have had bad experiences with some of the evolutionary steps of security technology.

"After organizations were burned by [data loss prevention], many are hesitant to try again," Cunningham says. "In many ways, antiquated processes are a big part of the problem -- the reason why many organizations can't move forward. But the technology has become much easier to both deploy and use."

Cunningham points to MobileIron's Zero Sign-On technology in which the smartphone becomes an authenticator.

"People are used to having a phone in their hands, which is why I think we're going to see a lot more done around passwordless authentication and ease of use," he says.

Brian Foster, senior vice president of product management at MobileIron, points out that the company primarily focuses on the enterprise market where people access applications to do their jobs. Up until now, even the best single sign-on applications require a user name and password.

With Zero Sign-On, Foster says, users don't sign on to the corporate network with a username and password; they sign on to applications using the passwordless app on their phone. The technology works on both iOS and Android phones, and users can authenticate on a MacBook Pro or Windows machine using their phones.

So it's pretty clear that progress has been made and that security pros are focused on eliminating passwords. An IDG report released this past summer found security leaders estimated they could reduce the risk of breaches by almost half (43%) simply by eliminating passwords. And the vast majority of security pros (86%) said they would eliminate passwords if they could.

"Passwords continue to be a big problem, and phishing is a big problem in the enterprise," says Foster. "We recognize that many organizations are looking for ways to reduce their dependency on passwords."

Shikiar of the FIDO Alliance points out that nobody claims all of these passwordless efforts will completely solve the problem the industry has with hackers and breaches.

"What we're saying is that these massive scalable breaches can be contained," he says. "Hackers will learn to hack through the biometrics, but all the biometrics will be localized on the device. There will be no centralized database where hackers can steal thousands of usernames and passwords."

Look for several companies to have a passwordless authentication story at the upcoming RSA Conference in February in San Francisco, Shikiar says. The FIDO Alliance also has its Authenticate 2020 show in June that will focus on bringing together industry players to promote and learn more about passwordless authentication.

So will passwordless authentication have a breakthrough in 2020? Don't expect miracles, but do expect it is going to be a major topic of discussion in the year ahead. Organizations may have to slow things down a bit and figure out how they can become less dependent on passwords.

Related Content: 


Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio
2 of 2

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
12/6/2019 | 1:48:41 PM
Passwordless Login
FIDO is great, but more options are better!

Steve Gibson's (software) implementation of secure, quick, reliable login at grc dot com is THE answer for passwordless login IMHO and is currently being vetted by Google engineers last I heard (and other entities) for its security implementation, ease of use, and robust feature set. Check it out here: