Passwords are inherently insecure, and adding multifactor authentication can help compensate, but ultimately, organizations should be aiming to eliminate the password altogether because strong password polices are difficult to enforce, and passwords are easily compromised and are costly in terms of management, password resets, and lost productivity.
Adopting multi-factor authentication (MFA) can immediately enable stronger authentication to reduce cybercrime, but it should be regarded as a short-term improvement over passwords alone, with the ultimate goal being truly passwordless authentication.
It could be argued that with the migration to cloud and increased remote working, it is critical for organizations to adopt passwordless authentication, because traditional MFA systems typically involve the use of a password, and are therefore inherently vulnerable.
Fortunately, going passwordless is becoming easier due to the development of new authentication standards and personal computing devices capable of creating and storing biometric data locally in secure enclaves such as Trusted Platform Modules (TPMs).
MFA does, however, offer multiple layers of authentication. For this reason, IT and security practitioners at organizations that require high levels of identity assurance are looking to move their organizations to passwordless MFA to remove the weaknesses of passwords, but to retain the value of multiple levels of authentication.
The modern enterprise finally has ways of combining passwordless and multifactor authentication by using facial or fingerprint scanning, and then authenticating to other systems and services using the cryptographic keys securely stored on the device without the need to create passwords, maintain huge databases of passwords or password hashes, and without any password having to travel over any network.
This approach is a strong form of authentication because it includes multiple factors of authentication, such as biometrics and possession of the device, and there is nothing that can be stolen to enable attackers to hijack legitimate credentials.
The added advantage is ease of use, which is important in improving the end user experience, whether it is for employees or customers. In other words, passwordless authentication combines security and convenience without compromising either.
For these reasons, organizations should be investigating what they need to do to go passwordless as soon as possible to offer end users alternative, easier to use, and more secure ways to authenticate. It will be a long journey because a lot of services, applications and websites still use passwords, but the sooner everyone makes a start, the sooner everyone will benefit.
KuppingerCole Analysts has a range of content about passwordless authentication, including this this Leadership Brief on How to Get Rid of Passwords - Today, this advisory on Mobile Biometrics for Authentication and Authorization, and this executive view on HYPR Passwordless and Phishing-resistant Authentication.
If you would prefer to listen to what our analysts and other experts have to say on this topic, listen to these conversations on How to Combine Security And Convenience and the Future of Authentication, or these analyst chats on Getting Rid of the Password , Enterprise Authentication, and Innovation in CIAM.
In addition to existing content, the coming 2022 KuppingerCole European Identity and Cloud (EIC) conference taking place in Berlin and online from May 10 – 13 will provide the opportunity to learn about the latest thinking around identity, authentication, and security.
The agenda features a dedicated track that includes presentations on Trends in Enterprise Authentication, A Blueprint for Achieving a Passwordless Reality, The State of Passwordless Authentication, A Story About Convenient Security, and panel discussions on The Future of Authentication and MFA usage in enterprise. There is also a Deep Dive session entitled: MFA, (E-)SSO & Passwordless in Hybrid & Multi-Cloud.