Survey Sees Shift to Passwordless Authentication Accelerating

A survey of 1,005 IT decision-makers published today found 89% expected their organizations to use passwords for less than 25% of logins within five years.

Conducted by the Fast Identity Online (FIDO) Alliance and LastPass, the survey found 95% are already providing some type of passwordless experience at their organization. A full 92% have a plan in place to embrace passwordless technologies more widely.

Mike Kosak, senior principal intelligence analyst at LastPass, said there are multiple motivations for eliminating passwords, from reducing help desk calls from end users who have forgotten them to providing a more frictionless end-user experience.

In place of passwords, most organizations appear to be moving toward embracing passkeys that provide end users with a digital credential that can be authenticated, noted Kosak. A full 92% of respondents said passkeys would benefit them, with 93% noting they should also eventually help reduce the volume of unofficial shadow IT applications.

However, well over half of respondents (55%) said there is a need for more education focused on how passwordless technology works and/or how to deploy it. Well over two-thirds (69%) anticipated storing passkeys in a third-party password manager.

In the meantime, organizations are still making extensive use of passwords (76%) and multi-factor authentication (MFA) (43%), one-time passcodes (33%) and single sign-on (SSO) technologies (27%). More than a quarter (28%) are also concerned end users may be resistant to change.

Top benefits of passwordless authentication included reducing the need for non-passwordless MFA offerings (50%), reducing the need for SSO (48%), reduction in support desk tickets (47%), reducing the need for privileged access management (46%), and streamlined onboarding/offboarding employees (42%).

Top benefits anticipated included improved security posture (59%), reduction in IT help desk requests (56%), improved user experience (50%), regulatory compliance (36%) and cost savings (33%).

The FIDO Alliance is making a case for a standard approach to passwordless authentication based on the Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and FIDO2, a set of specifications that collectively eliminate the need for passwords. FIDO Alliance members include Apple, Amazon, ARM, American Express, Facebook, Google, Intel, Lenovo, Microsoft, PayPal, Samsung, Visa and Mastercard.

Passwords, of course, are a major root cause of cyberattacks that typically start with stolen credentials. End users sometimes inadvertently share passwords as a result of phishing or they were not simply strong enough to prevent cybercriminals from employing social engineering techniques to guess what they are based on information about an end user that is widely available on social media. Regularly changing passwords is obviously a cybersecurity best practice, but end users typically continue to use variants of the same password to access multiple applications.

Unfortunately, passwords may never be completely eliminated, but the number of applications and services using them will be sharply reduced in the years ahead. Cybersecurity teams, however, should encourage application developers to implement alternatives as quickly as possible. The less reliance there is on passwords, the better as the number of cybersecurity incidents that can be traced back to a stolen credential becomes a lot more manageable.