Enterprise CISOs have been trying to move beyond passwords for more than a decade, but have run into technical roadblocks, as many legacy systems were never designed for anything other thanpasswords.
As a result, the passwordless revolution, despite its promise and the enticing premise of replacing passwords — which are becoming even easier to steal and abuse — with biometrics, one-time passcodes, security keys, and the like, may never fully come to pass.
According to a recent RSA report, “passwordless adoption is stalling, with 90% of organizations reporting challenges due to coverage gaps and poor user experience.”
The challenges are many. Beyond legacy industrial systems, homegrown apps, door/facility access systems, and IoT, even routine workgroup deployment of passwordless solutions is anything but routine. Different operating systems and specialized access requirements typically translate to enterprises needing to roll out multiple passwordless packages, which can be expensive and time-consuming, and create operational delays and other friction. Worst of all, it can create new security holes as attackers try to slip between the cracks of those multiple passwordless systems.
Security analysts and practitioners see most enterprises able to cover anywhere from 75% to 85% of their threat landscape with existing passwordless options. But that last 15%, which includes the most passwordless-resistant systems, is where the real headaches materialize.
“It will be difficult to close that last 15% especially in operational technology environments with embedded systems and industrial controls,”says Will Townsend, a VP and principal analyst at Moor Insights & Strategy. “The lift will be particularly difficult with OT, IoT, and embedded Linux. And anything in the manufacturing space.”
Townsend adds: “The DIY stuff, that’s the oddball. The process also creates risks in terms of managing all of these disparate tools. Still, the benefits far outweigh any short-term friction that you are going to experience.”
Passwordless challenges and risks
Another key passwordless challenge? The myriad choices involved, perhaps too many. What kind of passwordless? FIDO2 versus biometrics? And if the choice is biometrics, which biometric — face, retina, fingerprint, vein position? All have pros and cons, and given that enterprises will require many different forms, the management effort is significant.
Then there’s the question of backup, in case a passwordless mechanism fails. And if the design is to fall back onto passwords, then that isn’t really “passwordless,” is it?
“Passwordless implementations typically leave a dangerous blind spot. Passwords are still there, lurking inside the passkey enrollment and recovery flows,” says Aaron Painter, CEO of Nametag. “Think of it this way: How do you really know who’s enrolling or resetting a passkey? Attackers don’t have to break the cryptography of passkeys. They go after the weakest link, whether it’s a helpdesk call, an SMS code, or a ‘can’t access my passkey’ button. By keeping both a password and a passkey, organizations multiply their attack surface.”
Painter adds: “The real shift to passwordless only happens when enrollment and recovery get the same phishing-resistant treatment as login, by blending modern mobile cryptography with biometrics and liveness verification.”
RSA’s report pointed to enterprise environment complexity as potentially the biggest roadblock.
“Complex environments and mixed-use cases and user groups make it a challenge for organizations to deploy comprehensive passwordless. Because most organizations operate in hybrid environments and must support diverse users and use cases, identity specialists are preparing to use a diverse range of form factors to provide every user with passwordless authentication,” the report says.
The RSA report added that security executives seem to be split on the reasons for passwordless deployment delays. About “57% of respondents said security concerns were slowing passwordless, 56% cited concerns about user experience and 52% said a lack of complete platform support — including legacy apps and third-party systems — was the main challenge in preventing them from rolling out passwordless.”
All-in passwordless strategies fall short
Jim Taylor, chief product and strategy officer at RSA, says today’s enterprise environment and existing passwordless approaches make “100% passwordless not possible just yet,” adding that “85% is possible, with the 15% representing the complicated and the very specialized” needs such as “security admins who need to log in to a door for building access halfway across the world.”
Enterprises that support critical infrastructure face especially difficult passwordless hurdles, Taylor notes. “With critical infrastructure, look at the old switches out there. With drilling situations, you have these mini air-gapped networks that are disconnected. Now satellites are starting to connect these things.”
Taylor estimated that enterprises should be able to hit 100% passwordless compliance “within the next couple of years. Maybe it’s three years to achieve that last 1%.”
Part of the passwordless debate focuses on ROI strategies. The proverbial gold at the end of the rainbow is having all password credentials eliminated. That means an attacker with a 12-month-old admin password from a breach of a partner company would have nothing of value. But as long as some passwords must be supported, the risk of such an attack remains.
Security practitioners disagree on how much benefit can be realized shy of achieving 100%. “Any password you remove marginally improves your security posture and gives you a slight reduction in your risk profile,” Taylor says.
Oleg Naumenko, CEO of Hideez, says CISOs must think strategically when deciding the sequence of which systems to target first for their passwordless strategies.
“You can’t get support for all of your working technology via one technology. It’s not possible. If a company begins by securing privileged users and critical systems, that alone can significantly reduce exposure. But if the rollout starts with the easiest integrations just to reach more users, the improvement will be superficial,” Naumenko says. “Many start by implementing passwordless access for cloud services because it’s easier, while the more complex, high-risk systems remain password-dependent. I usually recommend reversing that order and starting with the most privileged users.”
By focusing on the users who will have the greatest impact, the progression of passwordless can go far more smoothly, Naumenko claims.
Proper sequence is critical
“Admins and engineers have the broadest access, so if passwordless works for them, scaling it to the rest of the organization becomes much simpler,” says Naumenko, who recommends first assessing how each service supports passwordless SSO.
“Most cloud apps integrate easily via SAML or OIDC, while legacy or custom systems require a different approach,” he says. “The first option is to restrict access through a VPN protected by passwordless SSO. And the more advanced option is to use a reverse proxy service that enables passwordless access directly.”
Or Finkelstein, head of marketing at Secret Double Octopus, has found it effective to trick legacy systems into thinking they are being given a password, when in reality they are not.
One technique his clients have used is to “take over the legacy password field and replace the user-selected password with a machine-generated ephemeral token that rotates with every authentication,” he says. “Now, technically speaking, that is still a password, but no human will ever see or use it,” and it doesn’t have the cybersecurity weaknesses of a password and can’t be phished.
“As long as it’s API-based authentication, it’s up to us to tailor it and make it work without passwords,” Finkelstein says, arguing that passwordless has become a fait accompli due to industry pressures. “You’ll end up doing passwordless anyway due to compliance demands, cyber insurance requirements or a breach that will make the next guy do it.”
Another complicating factor for passwordless deployment involves dealing with critical equipment partners — such as POS providers for retail — who themselves have yet to embrace passwordless. If they deliver systems that still require passwords, it is sometimes difficult for enterprises to work around that.
Erik Avakian, a technical counselor at Info-Tech Research Group, equates some of the passwordless decisions to those that CISOs have done with multi-factor authentication.
MFA is not a technology but a series of authentication mechanism options. Some of those options — such as FIDO2, passkeys, or even authenticator apps — are relatively robust while others, especially unencrypted SMS, are comparatively weak.
Many enterprises proudly say they support MFA but by not focusing on how robust their MFA mechanism is, they miss the point and rob their businesses of the cybersecurity protections.
The same problem exists when choosing the various authentication options within the passwordless umbrella, Avakian says. “We have to learn the lesson of MFA” and not favor convenience over protection, he opines. “There is the security piece and the user experience piece.”
“On paper, passwordless sounds very simple, but in practice, organizations oftentimes can hit roadblocks because their environments are far more heterogeneous than they realize, or the people culture in the organization presents challenges to big changes when it comes to well-baked-in processes that have been in place for a long time,”Avakian points out. “In many ways, moving towards passwordless is very much like how most organizations are approaching their efforts to move toward a zero trust model — a multi-year, multi-phase journey rather than a single flash-cut event.”