Passwordless technologies have been a big focus of software providers as they are designed to essentially eliminate passwords and a gigantic attack vector. By many metrics, account credentials are the most vulnerable and unsecure part of an organization’s IT infrastructure, with cyberattacks continuing to rely on phishing campaigns and brute force attacks to find their way into a victim’s environment.
According to Microsoft, the company tracked nearly 1,300 password attacks every second last year, with phishing attacks rising 61% from 2021 to 2022. Data for 2023 shows that this trend is continuing. As the saying goes, hackers don’t break in–they log in.
World Password Day, historically held on the first Thursday of every May, is there to remind us of these facts and to urge us to be smart about our credentials and password habits. These recommendations typically include things like not reusing passwords across accounts, creating complex passwords, and not storing them in a Word document.
Now, tools like password managers and multi-factor authentication are essentially a must-have technology for all organizations, let alone ones that take security seriously. However, organizations need to start taking their cues from tech providers such as Microsoft and Google who are clearly moving away from this inherently unsecure and soon-to-be archaic process with new passwordless solutions.
Without a password to steal, attackers will have to find other more difficult ways in.
Passwordless technology on the rise
Microsoft already makes it possible to access accounts without a password via the Microsoft Authenticator app, Windows Hello, a security key or verification code. Similarly, Google is beginning to roll out passkeys across Google Accounts on all major platforms.
Data suggests that many organizations are beginning to move towards those more secure authentication methods. According to new research from password management company Bitwarden, 49% of IT decision makers say their organization is deploying or has plans to deploy passwordless technology, with a majority relying on biometrics such as facial recognition, fingerprints or voice to authenticate.
In a recent virtual panel moderated by Jon McLachlan, host of the Security Podcast of Silicon Valley and chief security officer at CoinRoutes, Bitwarden CEO Michael Crandell says passwordless technologies such as passkeys are clearly the way of the future, but adoption is currently relatively low.
However, password managers exist to fill that gap and help organizations and their end users transition to the passwordless future, Crandell says.
“I think they’ve often not been shown a better way, either in terms of what’s happening with passwordless moving forward into the future, but also what they can do today,” Crandell says.
Passwordless adoption will take time
One of the most challenging things about IT is convincing users to do things different, with passwords as the prime example. For some users, setting up and using multifactor authentication or password managers is cumbersome and impacts their experience and convenience.
However, organizations need to begin to nudge people in the passwordless direction, says Cliff Steinhauer, director of information security at the National Cybersecurity Alliance, who also joined the panel discussion.
Some consumer-facing sites now offer what they call passwordless sign in, which is essentially a form of multifactor authetnicaiton that sends the user a text message.
“That is a good way to start to push people in that direction,” Steinhauer says. “This is going to take a lot of education and a lot of back-end adoption.”
Carla Roncato, vice president of identity at WatchGuard Technologies, echoes a similar sentiment about password security and the potential of passwordless solutions.
“Even with companies like Microsoft, Apple, and Google announcing support for password-less authentication solutions, it will take many more years for applications, services, and systems to adopt and modernize to the new protocols.”
In the meantime, organizations should adopt what have become the low-hanging fruit of identity security: multi-factor authentication and password management solutions, Roncato says.
“Hopefully someday–in our galaxy, in the not-too-distant future–we can look back in wonder (and maybe even a little confusion) at how we’d ever commemorated a World Password Day at all,” Roncato says in a nod to Star Wars day, as well as World Password Day.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!