Unlocking the future: how passwords are evolving to keep you safe
Alex FitzGerald
In the three minutes it will take for you to read this blog post, over 230 thousand passwords will be compromised. According to data tracked by Microsoft, 1287 password attacks occur every second (more than 111 million per day).
Attacks have been increasing for years despite the additional layers of security many organizations have implemented to prevent password compromise.
Here are some examples:
- Compliance requirements for multi-character, complex passwords have increased, making them difficult to remember.
- Organizations have implemented OTP verifications and push notifications, but attackers have adopted automated, scalable phishing techniques to compromise them.
- Meanwhile, people are tired of constant prompts to verify their identity through Multi-Factor Authentication.
Workplaces need authentication solutions that are both usable and secure.
But are these pressures sufficient to finally kill the password?
To adapt an infamous quote, reports of the death of the password appear to have been greatly exaggerated. Workplace passwords aren’t dead but are evolving into something new.
Going passwordless doesn’t make the priority list for companies right now, perhaps due to competing initiatives and changing economic conditions. Most customers we speak to say they’ve already started the transition to passwordless authentication. Most anticipate that they won’t begin the transition for at least a year, with some saying three to four years.
Legacy technology and processes are holding back the race to passwordless authentication
Compared to consumer technology, workplaces have more complex requirements and decision-making processes tied to password-based practices.
IT and cyber decision-makers say they must consider not just the cost of purchasing new tech, but also the change management aspects of technology and process adoption, especially as their organizations grow.
- Companies prioritize having a consistent process across the entire organization.
- Legacy systems and applications may lack the necessary infrastructure or APIs to integrate with modern passwordless solutions.
- Synchronization problems are real. With users bringing their own devices, it may be difficult to verify identities for users across systems.
In addition, companies worry about changing authentication processes for machine identities, which is more risky than authenticating individuals. Machine identities and service accounts often rely on passwords and other poorly understood or documented authentication mechanisms. If one of those mechanisms breaks due to a change in the authentication process, critical business operations may fail.
The difference between passwordless experience and passwordless implementation
Our customers tell us they have a clearer picture of the passwordless experience than how they will proceed with passwordless implementation.
With a passwordless experience, even if users aren’t required to enter a password, the mechanics of password authentication are still happening behind the scenes.
Full passwordless implementation, in which the authentication system doesn’t maintain any shared secret at all, is much more difficult to achieve. When it comes to technical implementation, many potential technical solutions are vying to replace or supplement the traditional password.
FIDO2-based passkeys are the technical solution heralded by consumer tech giants. As consumer technology brands and the FIDO Alliance create demand for passwordless authentication, companies are bound to hear that employees expect the same type of seamless experience at work.
Most IT and cyber leaders we've spoken to expect that biometrics, such as fingerprint recognition, facial recognition, and even behavioral biometrics (e.g., typing patterns), will be critical moving forward.
What will the future look like for passwords?
The good news is organizations are already taking measures to reduce the risks related to poor password management. Our customers tell us they have multiple solutions in place, with Privileged Access Management (PAM) leading the way.
Our customers tell us they are also hungry to know the signs of a potential attack so they can step in to prevent it. They see AI as a necessary tool to defend passwords and other credentials.
See what 300 IT and cyber leaders had to say about passwords
Download the complete survey—Passwords and Passwordless Authentication Survey Report—to get all the details. Insights and expert advice in this report will help you prepare your organization’s technology ecosystem and workforce for the password evolution.