Missteps involving knowledge-based authentication methods, such as passwords, continue to plague companies. Verizon's "2021 Data Breach Investigations Report" found compromised credentials were involved in 61% of breaches. It's time to seriously question their viability.
It's no surprise, then, that passwordless authentication conversations are heating up. Nearly 70% of respondents to a 2021 Forrester Research survey said they were in early-stage adoption, doing proofs of concepts and pilots, as well as rolling passwordless out to specific user groups, said Sean Ryan, analyst at Forrester Research.
A passwordless future has been a goal for a while -- is 2022 the year it will happen? Industry analysts shared their insights and predictions.
Is passwordless ready for prime time?
One sentiment shared by industry analysts and vendors is that passwordless adoption will be a time-consuming, slow journey. Employees will see a gradual reduction in use of passwords as more vendors add more authentication options into applications.
Here, analysts explained what a journey toward passwordless may look like over the coming years and offered four predictions on how to get started and what to expect.
1. Start with multifactor authentication
Thanks to an increase in multifactor authentication (MFA) adoption, a "passive password world" is coming, Ryan said. To start on the path to passwordless, organizations should implement two-factor authentication, which uses passwords as a starting point and a nonpassword authentication method as a second factor. From there, make the move to MFA. This helps users get used to the passwordless experience before making a full transition. It teaches employees how biometrics, smart cards and other passwordless methods work, in turn reducing friction during future full-passwordless onboarding processes.
Large vendors pushing MFA can also help educate users about its benefits, said David Mahdi, analyst at Gartner. Google, for example, is making MFA mandatory for account holders, and Microsoft added passwordless capabilities to Azure Active Directory.
2. Focus on zero trust
The push for passwordless makes zero-trust architecture adoption a logical first step for companies.
"One way to start passwordless for most organizations is to migrate to a zero-trust model with stronger multifactor authentication," said Tauseef Ghazi, principal and national leader for security and privacy risk services at RSM US. Zero trust can not only help companies prevent username/password impersonation, but also ensure people connecting to their systems are who they say they are.
Zero trust also help companies better accommodate identity management for employees accessing corporate resources from outside the network. A zero-trust model focuses on establishing whether users and devices can be trusted. It can provide continuous authentication and help lower dependence on knowledge-based authentication factors that are easily spoofed.
3. Consider behavioral biometrics
Another identification measure helping enterprises embrace continuous authentication and passwordless is behavioral biometrics.
"Behavioral biometrics are getting scary good," Mahdi said.
Using factors such as location, gait and device use, behavioral metrics distinguish between legitimate users and impersonators using a risk score. If an activity raises the risk score above a certain threshold, users are prompted for additional authentication factors, such as a one-time password or facial recognition.
"Behavioral biometrics gives a more holistic picture of the situation when developing a risk score and comparing it against what you want authentication for," Mahdi added.
Beyond providing a path to passwordless, behavioral biometrics also offers continuous verification for the duration a user is logged in to a workstation.
4. Expect a multiple-vendor deployment
Passwordless is in its nascent stage. "Vendors are just getting to the point where products are out in the market, but they're still relatively new," Ryan said.
Few vendors can accommodate every passwordless use case at a company. Some companies may only need one vendor if a single use case calls for passwordless. If a company uses mostly Windows devices, for example, it could implement Windows Hello for Business. However, if more than one use case must be adopted, this becomes less viable -- for example, if a company deploys Windows and macOS devices.
Organizations should expect to adopt multiple vendors if a wider rollout is desired. The day may come when one vendor can do everything, but it's not anytime soon.
"It's going to be fragmented for a while," Ryan said. "There will be a lot of experimentation and lots of multiple authentication options tried out." Companies can look to identity providers for passwordless options. Specialists are also beginning to release products capable of handling more diverse use cases.
Will passwords ever completely disappear?
Opinions remain mixed about the fate of passwords, but optimism for a password-free enterprise remains.
Passwords will erode over time, Mahdi predicted, largely with the help of vendors such as Google and Microsoft making big investments in passwordless.
Others can see password use diminishing but not altogether done with.
"If you look back at technology 20 years ago, people would have told you then what we have accomplished today is impossible to do," Ghazi said. "That said, passwords won't all be dead. Even on an authenticator, you need a PIN. And legacy systems have them, too."
Day-to-day password use will likely go away, Ryan agreed, but not passwords completely. "Maybe we'll reach a maturity level where passwordless is the experience for the front end. In the back end, there will still be passwords so legacy tech can still talk to each other," he said.