Enterprises worldwide are accelerating the adoption of passwordless authentication technologies in response to the increase in cybersecurity threats in 2020, according to a new report released by HYPR, The Passwordless Company and Cybersecurity Insiders.
The report "The 2021 State of Passwordless Security" includes insights from over 425 information technology professionals, representing a cross-section of organizations of varying sizes across multiple industry verticals, globally. It uncovered the key drivers and barriers to passwordless adoption and organizations' technology preferences, based on data from Cybersecurity's 500,000-member community.
90% of survey respondents experienced phishing attacks against their organizations in 2020, 29% of those experienced credential stuffing – revealing the impact of remote working and the overall increase in attacks on legacy and password-based multi-factor authentication (MFA). 91% say preventing credentials-based attacks is the primary reason for MFA, 64% cite improving user experience, 21% believe it's essential to their digital transformation journey, and 14% attribute MFA to increased cost savings. In terms of defense, close to all of the respondents reported a need to establish a passwordless security strategy.
"Prior to the COVID-19 pandemic, passwords and shared secrets were the number one cause of breaches despite billions of dollars invested in cyber security. This report highlights that many organizations are now re-allocating funds and investing passwordless technologies," said George Avetisov, HYPR Co-Founder and CEO, "Not only have a meaningful number of organizations already deployed passwordless technology, they demonstrate a clear understanding of its impact and use cases. The key takeaway is that adoption of passwordless security is further along than we think, and it's happening faster than anyone predicted."
Other key findings include:
Remote workers dominate when it comes to Passwordless
The pandemic forced organizations to adapt to new ways of working, with the majority moving to a remote model. Today, 78% of global CEOs agree that remote collaboration is here to stay, according to a survey by PWC. This shift saw a positive impact on passwordless adoption with remote work identified as the number one use case (86%). Close to three quarters of onsite employees rounded out the top, followed by external contractors (43%), and lastly 24% represented customers and consumers.
Organizations understand the need to evolve beyond passwords
Adoption of passwordless MFA remains steady with 36% using smartphones as FIDO tokens, 17% are using hardware security keys such as Yubico Yubikey or Google Titan, etc, and 17% are leveraging built in authenticators such as Windows Hello. However, 48% of respondents say their organization still lacks a passwordless solution.
Despite the uptick, many organizations are still using two step multi-factor authentication to verify users. 61% reveal that their passwordless solution still requires a shared secret as an underlying password, a one-time password (OTP), or SMS code. Additionally:
- Over 90% consider it essential or somewhat important to eliminate shared secrets for authentication
- 22% are "unsure," suggesting more education is required to define the benefits of passwordless MFA
- Organizations must prioritize ease of use and speed to ensure a superior "passwordless user experience," yet 67% of respondents say their organization lacks the right skills and teams to ensure seamless adoption
Organizations must consider the variables before undergoing passwordless transformation
When choosing a method, a mobile-first passwordless MFA solution is preferred over traditional options, with close to three quarters of respondents saying smartphones are the most convenient and provide the most user-friendly experience. This usability also contributes to the high number of remote users (86%) adopting passwordless technology.
Integration, standards and interoperability are essential when it comes to choosing a passwordless solution. 76% require ease of use and ease of integration, followed by cost, while interoperability with multiple identity providers was important for two-thirds of those surveyed. Additionally, close to all respondents' state that leveraging a standards-based approach such as Fast Identity Online (FIDO) is paramount to ensure a future-proof environment.