Passwords are Evolving as a Passwordless Future Draws Nearer – Source: securityboulevard.com

Enterprises are developing strategies now to protect identities from being stolen and abused even as a true passwordless future is slowly coming into view, according to Joseph Carson, chief security scientist and advisory CISO at privileged access manager (PAM) vendor Delinea.

“Stealing identities is a top target by attackers as it allows them to stay hidden for long periods and their traffic appears to be legitimate,” Carson told Security Boulevard. “This makes it more difficult for security teams to detect before something bad happens.”

By shifting to technologies like multifactor authentication (MFA) and PAM to protect credentials and reduce the risks when they get stolen, organizations are making it more difficult for attackers to compromise systems and stay hidden.

Carson said that trend was reinforced by a survey Delinea conducted among attendees at last week’s 2023 Black Hat USA conference. It wasn’t a wildly broad sampling – 100 people – but the answers dovetailed with what Carson is seeing in the IT space.

“The reality of what passwordless really means is starting to be better understood,” he said. “Passwords are not disappearing. They are going through an evolution into other authentication techniques. It is quickly accelerating as cloud solutions are adopted by more organizations and protecting identities becomes more important as they have less visibility when they are being abused by attackers.”

Given that, “it is absolutely building on what we have seen in the past, but the strategy is more important and the race is on to reduce the risks from such attacks that target identities and credentials,” Carson added.

The Push to Passwordless

Vendors like Google, Microsoft, and Apple have joined forces with industry groups like the FIDO Alliance and the World Wide Web Consortium (W3C) to drive standards that eventually will eliminate passwords, which are notoriously easy to steal and use in attacks. At the same time, with the proliferation of cloud services and apps, users increasingly are reusing passwords or using ones that are too easy to guess.

Microsoft in 2021 estimated there were 579 attacks involving passwords every second, which means 18 billion a year. Many are successful, thanks in large part to poor or reused passwords.

SpyCloud noted in a report last year that there was a 70% reuse rate among users exposed to data breaches in 2021, which isn’t surprising given that the average person has been 70 and 100 accounts to manage. In addition, the reuse rate among employees at Fortune 1000 companies is 64%.

In a survey of consumers earlier this year, biometrics technology company Incode found that 47% of respondents said not having to remember a password was the top benefit of using digital authentication.

In the meantime, companies are adopting other methods of authentication – not only biometrics but others like two-factor authentication (2FA) and MFA, password managers, and passkeys – to bypass or fortify passwords.

It may take a while to get to the point where passwords are no longer needed for authentication, but organizations are beginning to imagine it now. According to those polled by Delinea, 54% said a passwordless future is a viable concept that is moving beyond marketing-speak and 79% said passwords are either evolving or becoming obsolete.

It Will Take Time

But there are hurdles that need to be cleared before that happens.

“The data and trends suggest that most human-based identities will have passwordless authentication as the primary method,” Carson said. “However, it will likely be somewhere between three and six years before users might be able to move all of their passwords into the background as many web applications and legacy applications take time to get updated and implement passwordless authentication capabilities.”

For those in such industries as industrial control systems (ICS) or the internet of things (IoT), it could even more years to update or replace devices to eliminate passwords, he said.

Darren Guccione, co-founder and CEO of Keeper Security, said that while many organizations are embracing passwordless technology in some form, the need for passwords is still present.

“Every website, native application, system, and database still requires passwords at some level, even if passwordless solutions are used for convenience” Guccione told Security Boulevard. “The fact is that robust encryption keys cannot be generated without a password. Even single sign-on solutions require a password, at some level in the architecture, to authenticate a user, prior to the user transacting with SAML-compliant authentication services.”

He added that the “reality is that passwords are essential to the way our connected devices operate and, given the billions of websites and companies that require passwords, we are a long way off from a true passwordless future. We might remove the manual process of having to enter a string of numbers and letters to get access to whatever we need, but losing them altogether is a myth.”

Ricardo Amper, founder and CEO of Incode, told Security Boulevard that organizations moving toward passwordless technologies need to ensure that users are fully onboard.

“Enterprises must put user privacy and ease of use at the center of modern authentication strategy development and implementation,” Amper said. “By leveraging emerging technologies like AI and machine learning, enterprises can usher in the next generation of authentication methods in secure and user-friendly ways.”

He pointed to relying on a user’s unique identity markers – as with biometric technology – as a way to eliminate the need passwords, tokens, or MFA codes to fully controls who access a user’s account.

“This is one of many examples of the role emerging technology can play in driving secure, modern authentication strategies,” Amper said.