Technical and Cost Concerns of Passwordless Authentication Bother Security Leaders

The majority of businesses believe passwordless authentication is a step in the right direction, but are concerned over cost, storage of data and user adoption.

According to research of 750 IT and security professionals LastPass, the concept of reducing password related risks by enabling users to login to devices and applications without the need to type in a password is appealing, as technologies such as biometric authentication, single-sign-on (SSO) and federated identity are adopted instead of traditional passwords.

The research found 85% of respondents agree their organization should look to reduce the number of passwords that individuals use on a daily basis, while 95% of respondents surveyed said there are risks to using passwords which could contribute to threats in their organization, including human factors such as password reuse.

The top benefits of a passwordless authentication model included better security (69%), as well as time (54%) and cost (48%) saved, and ability to access from any location (53%).

However, 43% cited cost, 41% storage of data required and 40% time to migrate as the main challenges to implement passwordless, while 72% think that end users in their organization would prefer to continue using passwords, as it is what they are used to.

“As many organizations transition to a long-term remote work culture, giving your employees the tools and resources to be secure online in their personal lives as well as in the home office is more important now than ever,” said Gerald Beuchelt, CISO at LogMeIn.

Asked if he felt that cost, storage of data and user adoption were significant enough reasons for this to not be adopted, over security, Dan Panesar, director for UK and Ireland at Securonix, said in today’s digital world, most organizations rely on a heavy online presence to drive revenue and profit, so the login experience for these customers is critical.

“Once the users have found what they want to purchase, they want to get through and login quickly, but they also need to know that their data is safe: these users are also employees, so implementing innovative solutions for customers to drive profits should be the same for employees,” he said.

“There are always high profile data breaches involving customer data being leaked or stolen. This not only has an impact financially from a regulatory perspective, but also the reputational damage it can do to the brand. These financial and reputational threats should more than mitigate any challenges or concerns around costs, storage or user adoption.”

Patrick Hunter, sales engineering director for EMEA at One Identity, said that technological advances have now allowed us to truly consider alternatives for the first time, and facial recognition and other biometrics are good as a form of authentication when used in conjunction with a second factor such as a PIN.

“I would never advocate for a single authentication factor for accounts with privileged account access, whether that is a password or a passwordless alternative,” he said. “It goes without saying that all generic privileged accounts need to have their authentication mechanism locked away completely and only accessible with multiple forms of authentication.”

Hunter claimed some organizations are too complex and too large to implement this level of change though, as “they have too many systems, too many applications, too many SaaS services and, my experience shows, they don’t always know all the applications that have been purchased with a credit card in the world of Shadow IT.”

He said: “Organizations that embrace new authentication technology are still pioneers in my opinion, they are the brave souls willing to risk their data and the wrath of their users to use innovative ways to keep the bad guys out: but there will still be passwords in their organizations, no matter what they try.”

Javvad Mallik, security awareness advocate at KnowBe4, said common threats posed by passwords should not warrant a roll out of passwordless authentication, and as an industry “we should be mindful of how we roll it out, and not implement large-scale sudden change; rather take a measured approach, starting perhaps with a small set of applications within the organization, understanding the impact, then moving on to others.”

Likewise, Stuart Sharp, VP of solution engineering at OneLogin, said passwordless isn’t just about improving security, it’s as much about making sure you are offering end users the same seamless, modern experience with authentication that they expect and demand from all their online experiences.

“The best passwordless options don’t require organizations to store additional data but instead leverage biometric authentication options that come with almost all smartphones, laptops and tablets,” Sharp said. “The biometric data is stored on the device, not by the organization, so there is no single target that hackers can go after to harvest fingerprints or face IDs.”

What’s Hot on Infosecurity Magazine?