Passwordless implementation has long been heralded as the future, but are we ready, asks Mortada Ayad, Director, Sales Engineering at Delinea.
We often hear about the increasing appetite for a passwordless future and while this mostly is in the context of consumers, the reasons for organisations wanting the same seem straightforward.
According to the Verizon 2023 Data Breach Investigations Report stolen credentials were used in 49% of breaches by external actors. However, tightening policies and procedures to avoid credential theft often means hampering productivity and chances are employees will find ways around them to get things done, compromising security without realising it.
It is also simply unrealistic to expect them to create, remember and regularly change multiple, unique and complex passwords. If the password is the weakest link, why haven’t we gotten rid of it yet?
Passwordless, explained
First and foremost, it is essential to differentiate between a passwordless implementation, where the password is removed from the authentication process, and a passwordless experience, in which the mechanics of password authentication are still happening, but the user is not required to enter it anymore.
A full passwordless implementation, however, is much more difficult to achieve. Technology has undoubtedly made huge strides and several solutions, like biometrics or passkeys are now competing to replace the password, but according to a recent Delinea report, 68% of IT decision-makers think that the password is not dead just yet.
Furthermore, only 30% of respondents said that their organisation has already started the transition towards passwordless, while 36% claimed they are a couple of years away and 21% admitted they are three to four years away.
The slow pace of this transition appears to be due to several factors, such as the limited availability of these new technologies, which do not always live up to expectations or do not cover all use cases; their compatibility with legacy systems still existing in many companies for the foreseeable future; and the need to demonstrate that their use does not hinder compliance.