It’s no secret that credential theft remains a primary attack vector for cybercriminals. According to the FBI’s 2019 Internet Crime Report, phishing was the most widely reported cybercrime last year. Recently, we’ve seen a sharp uptick in the number of phishing attempts that leveraged the paranoia surrounding COVID-19 (coronavirus). The bitter truth is that legacy authentication via passwords is obsolete, and maintaining the technology in the face of ever savvier cybercriminals is a critical security threat.

In a two-part study released this week, my colleague Andras Cser and I examined the road to passwordless authentication for employees and consumers. Although a wide array of exploits, from password spray to credential stuffing to keystroke logging, exploit the inherent weaknesses found in password-centric authentication practices, many barriers conspire to keep organizations from killing the password once and for all. Complex and evolving IT environments, legacy compliance protocols relying on passwords, and the demand for a consistent user experience for consumers and business partners alike remain some of the most common barriers to change. My research into this area suggests that 70% of organizations today still rely on a password-centric authentication approach.

Fortunately, there is a light at the end of this multi-decade tunnel. There are a wide array of technologies that augment an organization’s identity and access management security posture and help get the organization from a password-centric authentication platform to a layered authentication approach. In the layered authentication stage, passwords are used in tandem with such technologies as two-factor authentication, single sign-on, and biometrics, which allow security practitioners to better position themselves to fully embrace a passwordless approach. The journey from password-centric to passwordless is a multi-year journey. Success depends on low-friction user experience, effective training, and a strategy for migrating user populations and target systems over time. We encourage security leaders to check out our latest research, as well as our work exploring the Zero Trust framework at large, for a deeper dive into how to develop an effective passwordless authentication strategy and what common pitfalls to avoid along the way.

 

(Written with Benjamin Corey, research associate at Forrester)