How to Improve Security and Usability with Passwordless Authentication
Enterprises have traditionally relied on passwords to log their employees into their accounts and services—but the practice is coming under increased scrutiny due to more modern and secure passwordless alternatives.
In a previous post, we explored how businesses can adopt passwordless authentication through alternatives like factor sequencing, WebAuthn, and more.
This post will dig into the challenges that passwords pose to your employees and IT admins, as well as the benefits that come with retiring them. By providing better security and ease of use for your end users—and reduced time commitments for your IT admins—passwordless authentication is a clear next step for modernizing your organization.
Passwords are a thorn in our side
Within a company’s workforce, password use has widespread negative security and usability impacts for both IT admins and end-users alike. Here are some of the typical challenges that these stakeholders experience.
Admin issues
Passwords continue to be a major attack vector for enterprises. In fact, in 2018, 81% of hacking-related breaches capitalized on weak, stolen, or reused passwords. However, that hasn’t stopped the workforce from adopting poor password hygiene: Okta’s Passwordless Future Report uncovered that 34% of employees use the same passwords across multiple accounts and 26% write their passwords down on pieces of paper.
Capitalizing on password reuse, hackers can conduct credential stuffing attacks where they use compromised account credentials to try to access other apps and services—and the sensitive data they host—en masse. Alongside an average cost to the company of $3.92 million, data breaches put a heavy burden on IT and security admins who have to work reactively to remedy the situation and better secure their infrastructure.
To help compensate for the vulnerability associated with passwords, many IT admins feel pressured to layer secondary authentication factors like one-time passwords (OTPs) or biometrics. In instances where this affects user experience, it can cause unnecessary friction between IT and employees.
Using passwords also means a constant stream of employee password reset requests, which can require up to four minutes of IT admin time each, roughly translating to $70 a piece. For organizations with thousands of employees across various time zones, this can be cumbersome and expensive to manage.
End-user issues
Alongside the impacts on security and IT admin time, password use can also severely disrupt the experience of end users. According to our Passwordless Future Report, almost 50% of employees feel annoyed or hassled by having to enter passwords. That’s no surprise when the average American internet user has at least 150 online accounts that require a password—which will climb to 300 accounts by 2020. Added to that, a failure to remember login details causes 37% of employees to be locked out of their accounts and 19% experience delays in their work.
With the rise of sophisticated digital applications, users have become accustomed to enjoying seamless customer experiences, without any barriers—and they now expect that same level of service within the workplace. Remembering multiple passwords gets in the way of that seamless experience, making it more likely for them to reuse the same ones across different services and increasing the risk of credential stuffing attacks.
How going passwordless can help
Moving to passwordless authentication can help businesses counter these security and usability issues in a number of ways.
Admin benefits
To start, passwordless authentication methods like WebAuthn and mobile authenticators are far more secure than traditional login credentials and help IT admins improve their security posture. In particular, FIDO2.0 factors like Android Fingerprint and Windows Hello can’t be phished—keeping bad actors locked out from your systems.
Moving to possession-based factors also makes password sharing among employees practically impossible, increasing the likelihood that login attempts are legitimate, and not an attack on the organization.
By retiring passwords, IT teams can better future-proof their systems, staying ahead of the curve when it comes to security threats. This approach to authentication also lowers the total cost of ownership for IT by reducing the amount of password setups and resets, and enables the team to focus on core tasks.
End-user benefits
By not having to remember and constantly update passwords for their tens (if not hundreds) of accounts, employees are better positioned to enjoy an improved user experience. They can enjoy a more seamless login experience without passwords and can avoid the frustration that comes with periodic password reset policies.
As an added bonus, the workforce can more actively contribute to keeping the organization secure, as well as their own data. With passwordless authentication, these resources are better protected from man-in-the-middle, man-in-the-browser, and other replay attacks.
A vision of a passwordless future
Although passwordless authentication is still being refined, it is already helping organizations get the best of both worlds—secure logins combined with a seamless end-user experience. Companies that want to avoid being relics in today’s cybersecurity landscape need to consider leaving passwords in the past and embracing a passwordless future. Let us show you how.
To understand how Okta can secure your enterprise by going passwordless download our How to Go Passwordless with Okta whitepaper.
For any additional information on passwordless authentication check out the following materials:
- What is Passwordless Authentication? - Blog Post
- Passwordless Authentication: Where to Start - Blog Post
- Is Passwordless Authentication Actually Secure? - Blog Post
- The Passwordless Future Report - Report
- Move Beyond Passwords - Whitepaper