Passwordless authentication can be an effective option, though introducing such a method poses its own challenges, says LastPass.
Let's face it, everyone hates passwords. Users hate having to create, remember, and constantly enter passwords. And IT and support people hate having to manage and enforce passwords for their users. For now, passwords are a necessary evil, but that doesn't mean you can't explore alternatives. A report published Thursday by password manager LastPass looks at the pitfalls of passwords and the pros and cons of passwordless options.
SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)
Based on a survey of 750 IT and security professionals, the report "From Passwords to Passwordless" found that just 18% of the respondents said that their organization's current identity and access management solution is fully secure and doesn't require any improvement. The majority (70%) said they consider their existing solution to be relatively secure but still in need of some improvement.
Whether or not their current solution is working, most of those surveyed agreed that there are definite challenges and risks to relying on passwords. Asked to cite the biggest challenges, more than half of the respondents said it was employees who use the same passwords across applications, 49% pointed to users who forget their passwords, and 45% referred to the time spent on password management. On average, IT personnel spend 4.5 hours a week managing user passwords.
Other challenges included users sharing their credentials, the cost of password management, lost or stolen employee credentials, and the lack of secure password management.
As far as the risks, more than half of the respondents said they don't believe passwords are always secure. Among the biggest causes of potential threats, password reuse was cited by 67% of those surveyed. The use of weak passwords, the possibility of leaking company data, social media hacking, and not changing default passwords were also mentioned as triggers for security threats.
Of course, employees face their own challenges trying to manage and maintain passwords. The three biggest user frustrations reported by respondents were the need to regularly change passwords, trying to remember multiple passwords, and typing long and complex passwords. Other password-related tasks that annoy employees included the need to type a password for every application, forgetting their own passwords, and not having a secure way to manage their passwords.
As a result, 85% of the respondents believe their organization should try to reduce the number of passwords used on a daily basis. That goal can be achieved through the use of passwordless authentication, a process that can alleviate the burden of passwords but presents its own set of challenges.
In the report, LastPast pointed to three types of passwordless authentication:
- Biometric authentication. This allows employees to securely authenticate their identity without having to type a password just by using their face or fingerprint.
- Single sign-on (SSO). This requires only one set of credentials to access everything, eliminating the need for employees to use multiple passwords.
- Federated identity. This integrates with an existing IT ecosystem and user directory login details, requiring employees to use just one password to unlock and access their work.
In general, passwordless authentication can provide several benefits over traditional passwords. Some 69% of those surveyed believe this method increases security, 58% said they feel it eliminates risk, and 54% said they feel it saves time. Respondents also said they believe it helps them gain more control and visibility into their security and that it can cut costs.
Passwordless authentication offers key benefits for employees as well. Some 65% of those surveyed said it provides a quicker authentication method, 57% said it means fewer passwords for employees to remember, and 53% cited the convenience of being able to access secure systems from anywhere. Other potential advantages for employees are streamlined access to multiple applications at once, not having to update passwords as often, and not worrying about password breaches.
Of course, implementing a passwordless authentication system throughout an organization comes with its own unique obstacles. The biggest challenge cited in the survey was the initial financial investment. Another challenge centered around regulations concerning the storage of secure data. A third was the time involved in transitioning to such a system.
Respondents also pointed to other obstacles, including a resistance to change from employees, a lack of skills and knowledge, a resistance to change from the IT department, the notion that passwords will never truly be eliminated, a sense of fear from changing what is already known, and the complications involved in implementing such a system.
Even with the increased use of passwordless authentication, 85% of the respondents agreed that passwords aren't going away anytime soon. As such, the same percentage sees the need for a combination of passwordless authentication and password management.
"Passwordless reduces the need for employees to type a password upon login, making their experience much more streamlined and allowing them to focus on their work," the report stated. "However, passwords will still be used in some way throughout the business, and these will still need to be managed securely and efficiently. It's therefore critical that, alongside the implementation of a passwordless authentication model, a simple and efficient password management solution is also put in place."
Commissioned by LastPass owner LogMeIn and conducted by market research specialist Vanson Bourne, the survey elicited feedback from 750 IT and security professionals ranging from CIOs and CISOs to IT managers and analysts. Interviewed in April and May 2020, the respondents came from different private and public sectors across the US, UK, France, Germany, Australia, and Singapore.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)