Going passwordless in mid-size organisations: benefits and challenges
The banking world ushered in passwordless in the 2010s, but businesses have yet to catch up
Resource-strapped IT departments at mid-size organisations may find implementing passwordless solutions complex and labour intensive. Here's some expert advice on adopting this important technology from Computing's US sister site MES Computing.
If user credential and password management seem to eat up the bulk of your IT operations' time, you are right. "Support for passwords is the most time-consuming access management process and, on average, administrators spend four hours per week managing employee access, including supporting account registrations, credential resets, and usability problems," according to one report from EMA (Enterprise Management Associates).
For that and other reasons including enhanced security, Gartner said that interest in passwordless authentication "remains high" across organisations, including the midmarket.
Yet, according to EMA's research, over 91% of end users still use the traditional login/password method to access business apps, data and IT services.
Richard Richison, senior director, IT infrastructure & cybersecurity operations at Repligen Corporation, recently posted on LinkedIn that it's time for mid-sized organisations to make moves to adopt passwordless multifactor authentication, based on his own experiences as a midmarket IT executive.
"It amazes me how many service providers are recommending/talking about how organisations should be implementing traditional MFA. If they haven't implemented MFA by now, do they really believe it is on their roadmap to be implemented? Probably not. Instead of discussing traditional MFA, talk about implementing passwordless MFA solutions," he said.
"Traditional MFA solutions are becoming less effective, provide a false sense of security, and they're a potential gateway for threat actors. IT leaders should be alarmed by how easily they can bypass it," Richison continued. "MFA fatigue is real, and end users are becoming numb to the daily MFA requests they receive."
Richison said he replaced his organisation's traditional MFA with Beyond Identity -- praising the cybersecurity company's mission to "eradicate passwords and deliver secure, seamless authentication for users and businesses."
"If you're not actively discussing passwordless MFA [multi-factor authentication] with your current security providers, it's not just time; it's crucial to prioritise this conversation," he said.
So why aren't more organisations going passwordless?
Resource-strapped IT departments at mid-sized organisations may find implementing passwordless solutions complex and labour-intensive, especially when integrating the technology with legacy applications.
Passwordless authentication is 'everywhere,' but enterprise adoption still slow
1Kosmos – a provider of digital identity verification -- can help IT departments with some of the complexities of going passwordless said Michael Engle, 1Kosmos co-founder and its head of strategy.
"We've gotten really good at simplifying customer journeys," Engle said when asked about complexities IT at midsized businesses may face implementing passwordless authentication.
"We can deploy our technology alongside your existing technology. So, when you put everything in place and set it up, which is all just connecting industry standard connectors ... there's protocols that Okta and Microsoft and [others] use ... just plug it in."
He said another value-add for smaller IT departments was the self-service option 1Kosmos offers end users -- freeing up IT help desk time.
"We specialise in simple communication with the users that says, click here to get rid of your password at the company. You send them an email, little video, they click a link, and they're onboarding themselves in 60 seconds in a safe way. So those two technologies are really important for getting adoption without a lot of complexity ... without you having to change it all overnight, on one weekend which is a nightmare for IT staff."
Engle said there is also a cost savings opportunity for IT.
"You can start removing legacy [authentication] systems. So, there's lots of opportunity for cost savings, because you're not paying for five, call it, 2FA systems anymore, reducing your licences. And as you rip that stuff out, you're simplifying the IT infrastructure. Imagine if you had one way to engage with a user, one system that handled 12 different methods, because we do all the old stuff to the username, password to 2FA magic links ... So, you can snap us in, get rid of the legacy, and then move to the modern."
He says there is also a case for ROI that some IT leaders may be able to make to their management.
"We have really extensive ROI calculations to say alright, here's our starting point. We had 100,000 calls to the helpdesk last year, $50 each, that's $5 million. Let's target saving $2 million into the helpdesk. Then you can measure that along the way as well."
Passwordless environments can also help increase productivity. "How much time do you spend logging in ... 14 seconds? We can cut that down to four. So now you have 10 seconds, times 10,000 employees, times 10 times a day. That's $4 million, right? Just making up numbers. But it's big numbers ... When you get it on a spreadsheet, and you present it to the CFO or the CIO, they're like, wait a minute, tell me more about that $4 million number," Engle said.
In the consumer space, passwordless authentication is "everywhere," but there has been sluggishness in enterprise adoption, especially at the midmarket level said Jasson Casey, CEO of Beyond Identity.
"If you ever use Android or Apple Pay, you are using passwordless, two-factor, phish-resistant authentication to actually pay a bill," he said.
"The banking world helped usher passwordless in without us even realising it in the 2010s. As the end users start to like an Apple Pay- and Android Pay-like experience, we saw that as a way where we could use that same hardware capability that now exists everywhere, to actually get rid of these existential [cyber] threats to these midmarket companies.
"Part of the adoption around passwordless is there hasn't been a vendor that actually gives a singular user experience to the end user that is truly passwordless while actually providing a real security benefit. Microsoft and Okta had been the closest. Microsoft has four authenticators depending on what you're trying to do ... that's a pretty fractured experience. And the fact that it has four authenticators, it's complex to use. If I'm [in the] midmarket, I have an overworked IT staff, they're not going to have time for that."
Beyond Identity, Casey said, has "three points on our brand promise. First of all, it is easy to use ... when we say easy to use, the end user should feel like this is an easier system than anything they've ever used to log in to get to work, to get work done. And so where that comes through in our product is it doesn't matter if you're working on Windows, if you're working on Mac, if you're working on mobile devices, if you're working on Linux, it's the same experience. So, it's not fractured."
He continued: "The tie-in for Beyond Identity: we think that security of a business really starts with the identity platform. We think based on what the market looks like that not only can real security problems be solved with the identity stack, but you could drastically improve the end user and the administrative experience.
Casey said businesses that work with the federal government are mandated to employ this technology. Going passwordless can also help with cyber insurance, he said.
"We're seeing cyber insurance rates, double or triple if you don't actually have the modern MFA, like phish-resistant MFA. In some cases, we've seen companies lose their coverage."
Even though your organisation may have yet to adopt passwordless technology, its likely been something in mind. The passwordless authentication market is expected to grow from $6.6 billion in 2022 to $21.2 billion in 2027 as IT leaders look to its benefits to enhance security, reduce IT help desk calls, improve productivity, and give end users a safer, more seamless login experience.
This article was first published on MES Computing