SHARED INTEL: IT pros gravitate to ‘passwordless’ authentication to improve security, boost agility

By Byron V. Acohido

Passwordless authentication as a default parameter can’t arrive too soon.

Related: Top execs call for facial recognition to be regulated

The good news is that passwordless technologies are not only ready for prime time, they appear to be gaining traction in ways that suggest we’re on the cusp of a period of wide-scale adoption. That’s the upshot of a new report, The State of Passwordless Security 2021, put out by HYPR, a New York City-based supplier of advanced authentication systems.

HYPR polled 427 IT professionals and found a high level of awareness about passwordless authenticators — and not just for enhanced security. The IT pros also recognized how passwordless systems contribute to operational agility, as well, and they’ve begun to factor this into their planning.

Some 91 percent of the respondents agreed that passwordless authentication was important to stop credential theft and phishing. Meanwhile, 64 percent saw value in improving user experiences and 21 percent said it could help achieve digital transformation.

“Adoption of passwordless authentication is moving faster than we expected,” says George Avetisov, HYPR’s co-founder and chief executive officer. “The rise of remote work has created a huge urgency around adopting passwordless multifactor authentication, and the no.1 use case is remote access.”

I recently sat down with Avetisov to discuss a few other notable findings in HYPR’s study. For a full drill down on our conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.

‘Shared secrets’ fall short

Password abuse emerged as a criminal specialty shortly after the decision got made in the 1990s to jump start the commercial Internet using a security framework built on shared secrets. Fortifications, such as multi-factor authentication (MFA) and password managers, have come along over the past decade or so to keep password abuse in check. However, these add-on technologies clearly have their limits and aren’t robust enough to carry us much deeper into digital transformation.

“What a lot of people overlook is that MFA and password managers are still built on top of passwords,” Avetisov observes. “What we’ve done is we’ve taken the password and put more password-like stuff on top of it, and that doesn’t solve the problem.”

Threat actors now routinely bypass these second-layer security gates. They do this by deploying botnets to carry out automated attacks such as credential stuffing campaigns and man-in-the-middle attacks.  Over time, these multi-stage hacks slip around or through password-protected access points, even those for which MFA and password vaults are in play.

Successful breaches today typically take aim at breaking into one account and then using that access as a pivot point. One recent hack highlights the scope and depth of these exposures. In early February, an unauthorized user succeeded in remotely accessing the controls of the Oldsmar, Fla. city water supply.

Fortunately, an alert plant operator noticed the intruder cranking up the amount of lye being mixed into the town’s water supply — from a safe level to a lethal one. The operator restored the lye mixture to a safe level and alerted his supervisor, narrowly averting a mass-poisoning.

Benefits beyond security

The water plant hack, which took place in a Tampa Bay suburb a few days before Super Bowl LV, highlights how threat actors are taking advantage of the fact that companies are chasing after digital agility above all else. Digital transformation means shifting to cloud infrastructure supplied by Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba. It also means leveraging DevOps to rapidly innovate cool user experiences, increasingly delivered via mobile apps.

These trends have exponentially expanded the attack surface and prompted threat actors to increase their focus on the weakly-defended access points turning up on the computing devices we use most. At the same time, the efficacy of passwordless authenticators as the logical replacement for legacy passwords has steadily risen to the fore.

We’ve come a long way in the past five years with Touch ID and Face ID authenticators on our iPhones and their counterparts on the various Android handsets, and with the Windows Hello iris scan and facial recognition platform on Windows computers.

In mid-2020,  Microsoft estimated that some 150 million people actually use their passwordless logons each month, and that’s just on Windows laptops and PCs. HYPR’s recent study gets to some of the practical reasons for why passwordless authenticators are now squarely on the radar of IT department heads. When asked what factors are most important in choosing a passwordless solution, the IT pros responded:

•Ease of use, 76 percent

•Ease of integration, 76 percent

•Cost, 66 percent

•Time to deploy, 50 percent

Financial institutions and online retailers have been the earlier adopters of passwordless solutions, for obvious reasons. However, Covid 19 and the sudden, dramatic spike of remote workplace and remote learning scenarios have put passwordless systems on the front burner across the board.

HYPR’s report shows company decision-makers taking stock of the limitations of their legacy network defenses. The legacy approach requires maintaining an expanding array of detection technologies put in place under the assumption that the password layer is paper thin. The mass-poisoning attempt in Florida highlights how attackers are still getting deep into control systems, and oftentimes only getting detected and deterred by happenstance.

“What’s going to happen is you’re going to see a lot of these products, like  automated attack detection, kind of slip away,” Avetisov told me. “If you can’t perform an automated attack on a password or a shared secret, because they’re no longer in use, there’s not going to be any need for that tool.”

The need for organizations to put up layered defenses isn’t ever going to go away, of course. But as passwordless authenticators take wider hold, companies will be able to direct their security spending much more effectively on fewer layers. This shift is underway. Passwords are on their way out. I’ll keep watch, and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone