According to IBM, compromised credentials are the most common initial attack vector. They represent 20% of all breaches and cost a whopping $4.37 million on average. It’s no wonder that companies of all sizes are rethinking their cybersecurity strategy.
One of the most popular solutions to this complex, thorny problem is passwordless authentication. Trying to replicate possessive or biometric factors is a lot harder than guessing passwords that people use over and over. And with no credentials to steal, cyberattackers have a much more difficult hill to climb.
With so much risk inherent in traditional passwords, why hasn’t every company embraced passwordless authentication with open arms? Well, saying you want to implement passwordless authentication and doing it are two very different things. This piece covers several realistic challenges of passwordless authentication and the benefits it confers in terms of security, convenience, and overall user experience.
The Challenges of Passwordless Authentication
Besides the cost, there are some security measures that not even passwordless authentication can counteract, not to mention stakeholders who are resistant to change. Below, we’ll discuss each of the most common challenges IT teams face when attempting to use passwordless authentication in their organization.
Deployment Cost and Effort
Passwordless authentication doesn’t happen with the flip of a switch. It requires an in-depth, step-by-step plan to implement new software or hardware and to train employees. Coming up with a project and change management plan and executing that plan takes time away from other tasks or strategic projects.
Passwordless authentication deployments also cost money. If you go the hardware route, you have to buy devices, tokens, or cards for each employee, as well as replacements in case of future damage or loss. Software can be a cheaper option, but there are hidden costs you need to budget for, like administration, migration, and maintenance.
Security Limitations
Passwordless authentication with FIDO2 is substantially better than conventional password structures, but it is not a silver bullet. Even with passwordless authentication, malware, man-in-the-browser, and other attacks are possible. For example, hackers can install malware specifically designed to intercept one-time passcodes (OTPs). Or, they could insert trojans into web browsers to intercept shared data like one-time passcodes or magic links.
Attackers have even replicated voice recordings or other biometric features. That said, these attacks are limited by the authentication factor(s) that you choose. And combining several authentication factors with multi-factor authentication (MFA) offers even more robust security.
End-User Skepticism
People are stuck in their ways. They are accustomed to using passwords, especially ones that are easy to remember. It’s now second nature to change passwords every 30 days, store them in our browser, and use autofill functionality to log in. This makes it difficult to conceptualize a passwordless world, and many people are suspicious of its efficacy. Plus, learning new technology, setting up new devices, and programming biometric authentication factors can be frustrating enough, let alone using those new authentication factors for every login session.
But, we’ve been exposed to enough cyberattacks to know by now that the status quo doesn’t cut it. So, even if it takes people a bit longer to get onboard with passwordless authentication, the protection it provides is worth the effort.
The Benefits of Passwordless Authentication
So is all the time and planning and convincing that goes into implementing passwordless authentication worth it? The short answer is yes. Let’s examine several reasons why.
Stronger Cybersecurity Posture
The passwords we use today simply aren’t a strong barrier to attackers. For example, many employees use the same password for multiple applications. If just one of these passwords is breached (phishing), leaked (lists on the dark web), or stolen (malware), there is a very high chance cyberattackers will gain access to several accounts, obtain confidential IP, financial, or client data. From there, they can also spy on internal messages, carry out financial fraud, write nasty social media posts from your company’s profile, gain access to the organization’s network, and divulge trade secrets.
Passwordless authentication rids users of a password altogether, immediately offering protection against two of the most dangerous and prevalent cyberattacks: phishing and password theft (also known as brute force attacks). Even if employees receive phishing emails or text messages, there are no credentials to offer up. Brute force attacks are no longer possible either 一 there are no pairs of usernames and passwords to steal. And trying to create fake OTPs, unique links, push notifications, or fingerprints to authenticate is extremely difficult. Deploying passwordless authentication tools on your organization’s applications, office devices, and website greatly improves your security posture.
Greater Productivity and Better User Experience
At a certain point, generating and memorizing hundreds of passwords is unsustainable. And when an employee forgets their password, the process of resetting it is often clunky. So it’s no surprise that employees use the easiest password they can remember, use the same password for every tool, or just add a number or a special character when they are asked to change it each month. With passwordless authentication in place, users no longer have to create passwords nor remember them by heart. Instead, they can authenticate using their email, phone, or face.
A quick, convenient login experience allows employees to dedicate the time they would’ve spent brainstorming or resetting passwords on other, more productive tasks. Implementing passwordless authentication can also improve the customer experience. Oftentimes, customers are prompted to log into your website if they have an account. Embedding passwordless authentication can lessen the chances of abandoned shopping carts or hacked instances of your platform.
Reduced Long-Term Costs
Take a moment to think about how much your company spends on password management and storage. Add in the time IT spends resetting passwords and responding to constantly changing password storage laws. Forrester reports that U.S.-based organizations allocate over $1 million annually just for password-related support costs. Now, combine that with the time and effort dedicated to identifying and combating password leaks, and you’ve got a hefty annual cost that only continues to grow over time. Passwordless authentication eliminates all of these costs. No more storing passwords, resetting forgotten ones, and no more losing sleep over new compliance laws.
Move Toward Passwordless Authentication with Multi-Factor Authentication
Passwordless authentication is a big leap for most companies. Implementing passwordless authentication takes time, stakeholder buy-in, and financial resources. That’s why many companies are turning to passwordless MFA factors as the first phase of their passwordless journey.
Implementing multi-factor authentication safeguards access to applications, devices, and networks through an easy-to-use authenticator app. JumpCloud’s MFA solution is particularly flexible, with push-to-verify, time-based one-time passwords (TOTP), U2F keys, or in-device biometric options. The best part is that IT can enforce or relax multi-factor authentication requirements based on whether users are in-network, on a trusted device, or in a specific location, enabling more seamless adoption. Even better, all you need to do is activate MFA in JumpCloud’s admin portal, and it works across all of your already programmed applications.
Head to the JumpCloud MFA product page to learn more about our capabilities.