Why Organisations Should Count on Passwordless Security?

In 2020, 80% of hacking-related breaches involved brute force or the use of stolen credentials. And in 2021, 85% of breaches involved the human element. Organisations have relied on password-based authentication for decades. But from these statistics, it’s clear that passwords are among their most critical threat vectors.

As thwarting password-based “security” becomes increasingly easy for threat actors, organisations need stronger, more reliable authentication methods.

Many are now adopting Multi-factor Authentication (MFA), which requires multiple forms of identity to authenticate users. However, MFA too has its drawbacks and not all MFAs are created equal. According to NIST, authenticators that involve the manual entry of an authenticator output, such as out-of-band and OTP authenticators, SHALL NOT be considered verifier impersonation-resistant because the manual entry does not bind the authenticator output to the specific session being authenticated.

The best way to close these security gaps is with passwordless security. In addition to improving the organisation’s security posture, passwordless security eliminates user friction, and reduces the administrative burden on IT teams with respect to password-related helpdesk tickets. Passwordless security is the future of digitisation and enterprise cybersecurity risk management. Here’s why.

Passwordless Security vs Password Managers

Password managers or vaults encrypt passwords on a user’s device. Users must create a “master password” to access the vault.

Although password managers offer some security advantages, they also come with the same risks as do passwords. Password managers do not improve security, they make it convenient to manage passwords.

The master password must be strong enough to prevent bad actors from guessing or compromising it. However, many users use weak master passwords, which lowers the password manager’s security capabilities.

All passwords are stored in one place, creating a single point of failure. So if a breach happens; the user could lose access to all passwords and where these passwords can be used in one go. It is also important to keep in mind that threat actors can also hack into a password manager by infecting a device with malware.Yet another challenge with password managers is that users often create a backup copy of their passwords. But if the backup is stored on a poorly-protected offline disk or cloud service, threat actors can once again steal this backup and take over the user’s identity.

Finally, some password managers provide poor encryption, don’t support all devices/browsers, or work only with web-based browser logons.

The best way to reliably and safely address all these drawbacks is with passwordless security.

Passwordless Security Prevents Security Challenges

Stolen or compromised passwords create numerous security challenges for organisations.

Email-based phishing is one of the most fruitful attack methods for bad actors. In 2020, 75% of organizations globally experienced a phishing attack. In fact, phishing was the top “action variety” observed in breaches during the year, according to both Verizon and the FBI. And in almost all such attacks, credentials are usually the most common compromised attribute. In case of breaches, stolen credentials can be used for credential stuffing. This is a particularly big risk when employees reuse passwords for multiple accounts. Account takeovers, and identity theft or fraud are other consequences of stolen or compromised passwords.

In general, attackers prefer short paths to attack enterprise security. Passwords provide such paths, allowing them to easily compromise systems and steal sensitive data.

Organisations can prevent such cyber attacks out-of-the-box with passwordless security. Thus, if more than 80% of breaches are caused by weak credentials, by going passwordless, organisations can prevent 80% of cyberattacks.

Passwordless Security to Minimise Insider Threats

Since the start of the COVID-19 pandemic, a remote workforce has become the norm for organisations worldwide. As employees work from home and take security “shortcuts” while accessing enterprise resources, security teams have to contend with an increasing risk of insider threats – whether due to disgruntled or negligent employees, careless vendors, or malicious ex-employees.

In fact, between 2018 and 2020, both the frequency and cost of reported insider incidents have increased by 47% and 31% respectively. Of these, negligent insiders account for 62% of all incidents, costing organisations an average $4.58 million per year.

In most such incidents, compromised passwords play a part – which passwordless security can help address.

Passwordless Security for Easier Customer Onboarding

Nowadays, users have to keep track of multiple credentials for multiple accounts. Forcing them to go through password-based authentication during onboarding adds to this burden, and affects their experience.

For the organisation, it increases the risk of customer abandonment. A recent study found that 64.5% of users will abandon a website if they’re asked to create a username and login. Among those whose login credentials are lost or compromised, 92% were willing to simply leave a website instead of resetting their login credentials.

Passwordless security is an effective way to minimise friction for users, while preventing user abandonment and increasing security for service providers.

Conclusion

Passwordless security provides numerous advantages over traditional password-based systems, and even over MFA and SSO systems. To calculate and reduce your organisation’s risk exposure use this free threat model created by IDEE while at UK’s National Cyber Security Center.