process management blog posts

Are you a passwordless laggard?

Blog: OpenText Blogs

A hand drawing a bell curve graph. The bell curve is labeled, from left to right, innovators, early adopters, early majority, late majority, and laggards.

As security and usability expectations rise, many IT security teams are approaching a crossroads: deciding on a strategy for leveraging passwordless technologies across their organization, both within and to secure engagement with their consumers. Almost every organization has a multifactor authentication infrastructure, but is the current implementation the right fit for every situation? Are there other authentication options that increase efficiency and usability? As IT security teams weigh their option, they often wrestle with these types of concerns: 

  • Ensuring security during the transition 
  • Maintaining user experience and accessibility 
  • Managing integration with existing systems 
  • Addressing compliance and regulatory requirements 
  • Balancing costs 

As these objectives and challenges are balanced, looking at trends in the market can provide useful insight. This is why OpenTexttm sponsored a Dark Reading survey consisting of a 140 IT and cybersecurity professionals. In this survey, Dark Reading was able to recruit a strong mix of cybersecurity and IT professionals, including CIO/CTO or VP roles (18%), CSO/CISO roles (6%), cybersecurity directors and managers (19%), IT or cybersecurity staff (9%), cybersecurity staff (17%), and other IT and engineering roles (29%).

The security side of passwordless 

In what should be no surprise, Dark Reading confirms that cybersecurity teams understand that credentials are a major component of their vulnerability profile. The survey shows that 90% of them are concerned about traditional credentials, and even half of them worked for an organization that has been victimized. Overall, eight out of ten respondents had discovered attacks from outsiders, and they were based on the weaknesses of traditional credentials. The top two vulnerability concerns identified phishing attacks and stolen credentials. 

The business value of controlling risk 

Respondents confirmed that on several levels, they see business-centric forces in play when adopting passwordless technologies in their environment. Fundamentally, stronger identity verification is a foundational component of managing the risk of a digital-enabled business. Organizations are empowered to enable more efficient and powerful interactions when they can depend on strong identity verification. These new business models affect not only how they can expand what their internal employees can do but also how they can engage and interact with their consumers at a higher level as more types of digital information can be shared. Organizations can be just as confident of a claimed identity when services are consumed remotely as they are for onsite engagements. 

The business enabling side of passwordless 

"Improved user experience" was another big component of why responders viewed passwordless authentication as an important step forward. In fact, that driver came in 2nd to "improved security." IT teams are commonly eyeing passwordless approaches because they can enhance security by reducing risks associated with weak or stolen passwords, phishing attacks, and password reuse. Overall, if it's done right in terms of implementation and use case fit, passwordless solves the most glaring shortcomings of traditional credentials: 

  • No memorization – anyone with an online presence already recognizes this frustrating reality of remembering passwords, especially strong ones. It doesn't take long before people resort to bad credential hygiene to manage the many online services they consume. Bad practices like sharing credentials across multiple accounts and using weak or guessable passwords.
  • Lower hassle logins – beyond the complexity of managing traditional usernames and passwords, the simplicity of a quick authentication experience that comes from a fingerprint touch, facial recognition, or even an authenticator app is a stark contrast. The experience is low friction and quick. 
  • Reduced errors – yes, typing in credentials can be laborious, but mistyping them is worse. "Did I fat finger my password or is it the wrong one"? Mistyped credentials block access and engagement and are obviously bad for businesses both internally and in consumer-facing. It's bad enough to delay a business process, but a frustrating experience can push customers to competitors. For speed and usability, if done right, passwordless can be a game changer. 

Although I'm not sure how true this is, for me an unexpected survey result is the perception that passwordless leads to a decreased IT burden; it came in third behind improved security and user experience. Do helpdesk calls managing account lockouts and password reset issues outweigh the cost of passwordless enrollment and administration? It seems like the majority of IT and security personnel believe that it does. 

Bringing together both the business-enabling aspect as well as the cost-saving potential of passwordless technologies, a full third of respondents gauged their accumulative effect on the bottom line by rating it as "big" or "very big" impact. Another third selected minor impact. That's two-thirds of IT and Security professional indicating that they believe that adopting passwordless technologies is good for their business.  

If you're interested in Dark Reading’s report, check it out here. It offers some interesting insights.  

The post Are you a passwordless laggard?  appeared first on OpenText Blogs.