Passwords are an inexpensive and convenient form of authentication. While passwords can provide a high degree of protection, in practice they are a weak point that is commonly exploited by threat actors to gain access to internal networks and sensitive data. Brute force attacks are conducted to guess weak passwords, credential stuffing attacks succeed because people reuse passwords on multiple platforms, and employees divulge their passwords by responding to phishing emails.
Many of these attacks targeting passwords succeed because employees engage in risky password practices, such as setting easy-to-remember passwords or using the same password for multiple accounts. Businesses can take steps to eliminate these bad password practices by providing security awareness training to teach employees password best practices, enforcing password complexity rules, and providing a password manager; however, risk can only be reduced, not eliminated entirely. Employees will make mistakes, and some will circumvent the rules.
The best approach for businesses to eliminate password risks is to do away with passwords altogether and adopt passwordless authentication. Passwordless authentication is a broad term covering multiple methods of authentication, including biometrics, security keys, and specialized mobile applications. The problem for businesses is implementing passwordless authentication for an entire workforce is costly and challenging.
Half of Businesses Have Implemented Passwordless Authentication or Plan to
Bitwarden, a leading open source password manager provider, has recently published the findings from its annual password decisions survey, which shows an increasing number of businesses are embracing passwordless authentication. The survey was conducted on 800 IT decision-makers (400 Us / 400 UK) across a range of industries and revealed almost half of the respondents have either deployed or have plans to deploy passwordless technology. The main benefits of passwordless technology were seen to be improved security (41%), a better user experience (24%), increased productivity (19%) and minimizing the burden on the IT department (17%).
Out of the businesses that have started to deploy the technology, 66% have one or two user groups or multiple teams using passwordless technology, with 13% having fully adopted it across the entire organization. The most common form – implemented or being considered by 51% of businesses – is something employees are – a biometric factor such as a fingerprint, voiceprint, or facial recognition technology. 31% use or are considering something an employee has, such as a phone, security key, or FIDO authentication. 47% of respondents said FIDO2 was an important aspect of their passwordless adoption.
The most commonly stated reason for not ditching passwords is the applications the businesses use are not designed to support passwordless authentication, which was a problem for 49% of businesses that have yet to go passwordless. 39% said end users prefer passwords or are reluctant to switch, 28% said they do not have the budget, 23% said there was leadership resistance, and 21% said they had limited talent and skills to implement it.
It is likely to take some time before most businesses can go fully passwordless, and in the meantime, passwords will continue to be used. On that front, the survey confirmed that risky password practices are commonplace. While 84% of respondents said they use password management software, 54% said passwords are stored in a document on their computer, 29% write them down, and over 90% of respondents admitted to password reuse, despite being aware of the risks. 36% reuse passwords on 5-10 sites, 24% reuse passwords on up to 15 sites, and 11% reuse the same password on more than 15 sites, which demonstrates why credential stuffing attacks often succeed. Fortunately, 92% of respondents said they are using 2-factor authentication in the workplace – an increase from 88% in last year’s survey.
When questioned why they believe people are reluctant to use 2FA to add security to accounts, 48% said they do not think people are aware of the benefits, 47% said they think passwords are strong enough, and 41% said they think its because they are unlikely to get hacked, with a similar percentage saying 2FA slows down workflow.
The post Adoption of Passwordless Authentication Grows But Poor Password Practices Persist appeared first on HIPAA Journal.