Traditional authentication methods aren’t working. With the availability of cheap cloud GPUs to crack passwords and tens of billions of known accounts/passwords, it’s clear that passwords aren’t secure. MFA hasn’t been a viable replacement as it’s susceptible to social engineering, phishing, and other attacks while introducing user friction and degrading the user experience.
Successful attacks are cultivating the need for a new authentication method. Recent prominent MFA-based breaches and friction in the end-user experience have reached the ears of app developers, IT, and cybersecurity leadership. Organizations are now searching for alternative methods to address the risks and challenges of MFA and password-based authentication.
IAM vendors need to demystify passwordless authentication. While the concept has received tremendous publicity as a panacea, organizations struggle to understand which passwordless methods are the best fit for different use cases. Passwordless vendors are jockeying to differentiate themselves in this crowded space to demonstrate they’re the best fit for prospective customers.
To gain insights into the authentication landscape generally and the evolution of passwordless technology specifically, TechTarget’s Enterprise Strategy Group surveyed 377 IT, cybersecurity, and application development professionals responsible for identity and access management programs, projects, processes, solutions, and services in North America.
This study sought to answer the following questions:
- What priority level do organizations assign to their practices for authenticating workforce and customer identities?
- Approximately what percentage of organizations’ workforce and customer identities are believed to be insufficiently secured?
- Do organizations make multifactor authentication mandatory for their workforce?
- How are organizations prioritizing the use of passwordless authentication methods for their workforce and customers relative to other areas of identity?
- What types of passwordless solutions do organizations currently use for their customers?
- How confident are organizations in their ability to detect a session with an attacker using a compromised account versus a session with a real user?
- Have organizations experienced any account or credential compromises in the last 12 months? Approximately how many times has this happened?
- What contributed to the compromise of organizations’ accounts or credentials? Have any of the compromised accounts or credentials over the last 12 months led to a successful cybersecurity attack?
- Relative to other areas of identity and access management, how do organizations expect their spending on authentication to change, if at all, over the next 12 months?
- With respect to any increase in spending on authentication, in which areas do organizations expect most of this investment to go to in the next 12 months?
Survey participants represented a wide range of industries including manufacturing, technology, financial services, and retail/wholesale. For more details, please see the Research Methodology and Respondent Demographics sections of this report.