Q&A: A passwordless future

Q&A: A passwordless future

Johan Fantenberg, Principal Solutions Architect, APJ, Ping Identity, on the concept of a passwordless future and its implications for enhancing security in the digital age. 

Can you elaborate on the concept of a passwordless future and its significance in the context of cybersecurity today?

Eighty-six per cent of breaches involve stolen, weak or default passwords. Of those breaches, 74% involve the human element, which includes social engineering attacks, errors or misuse. 

Passwords, especially those used to secure access to privileged work accounts, are criminals’ most sought-after target. The increase in data breaches and the insecurity of with password-only authentication systems – with users commonly reusing and sharing passwords – have encouraged the IT industry to think about strengthening this authentication method or removing passwords entirely through passwordless authentication.

Passwordless means that users can authenticate themselves without having to provide a password or any other knowledge-based answer. The goal of going passwordless is to authenticate users without taking on the risks that come with passwords. Instead, users are identified by other attributes like their biometrics or device identifiers. Biometric authentication leverages something you are, such as your voice, fingerprint, or face, while device identifiers leverage a something you have, such as your phone. Using these authentication factors allows higher security than using only something you know factors, such as passwords, that can be easily reused, shared or guessed.

What are some key benefits organisations can expect from embracing passwordless authentication methods?

Passwordless provides benefits to customers and employees alike, including increased security and a better overall digital experience. For customers, it reduces their likelihood of churn because they have a better experience with your brand. In fact, 60% of have stopped using an online service because they became frustrated with the login process; a steady increase since 2022 (59%) and 2021 (56%). For employees, passwordless increases productivity and reduces help desk tickets. On average, 11 hours are lost annually from password resets, 12 minutes are spent daily entering and resetting passwords, and 33% of IT department’s tickets are related to passwords.

Passwordless authentication removes the need for a password and minimizes the threats related to credential-based attacks, including account takeover (ATO), fraud and data breaches. Not only are data breaches costly in the short term, but they can have long-term consequences. For example, 78% say they are wary about doing business with a retailer that has experienced a breach.

How do you address concerns about the feasibility and practicality of implementing passwordless security solutions across different industries and sectors?

When it comes to passwordless, one size does not fit all. That’s true for the enterprises that implement passwordless and it’s true for users — people want choices. No matter where you are on your passwordless journey, there are steps you can take today to eliminate passwords in a phased approach.

I would encourage any business to start by offering one passwordless factor to reduce friction and improve the security of a standard login. Examples include multi-factor authentication (MFA), such as push notification, one time passcode (OTP) or emailed magic links. Next, they can offer a passwordless experience where the password is still present for any legacy apps that require it, but it’s handled securely in the background, so users don’t have to enter or see it. Since the user doesn’t interact with a password, they eliminate many of the risks of social engineering and generative AI threads. Finally, go completely passwordless by removing passwords completely and instead leveraging biometrics and PKI based solutions such as passkeys.

Looking ahead, what trends do you foresee shaping the future of cybersecurity – particularly in the realm of authentication and access management?

It’s expected that 75% of organisations will integrate cybersecurity measures into systems and processes that can neutralise vulnerabilities and fortify infrastructure. Implementing passwordless authentication will be central to this. Not only does passwordless authentication offer better convenience and security, but it can also leverage multiple contextual signals to confirm identities, like physical location, keystrokes and time of day. Compared to relying on stolen passwords, attackers will have a harder time gaining easy access to users’ systems and data.

Simultaneously, organisations, especially public sector agencies, will start implementing decentralised identities, which removes the need for users to provide more information than is necessary to access a particular service. For example, an online service can be supplied with only the user’s age for verification purposes without the need to view driver’s licenses, which contain extra details that are not relevant to their needs. By adopting this capability, organisations can safeguard their assets and employees and customers from being targeted by identity and fraud-based attacks.

Browse our latest issue

Intelligent CISO

View Magazine Archive