Why we’re going 100% passwordless at Okta
Ten years ago, security experts declared the first Thursday in May a new holiday. World Password Day was meant to serve as a helpful annual reminder for people to change their passwords. It was also a tacit admission of one of passwords’ fundamental flaws: To remain effective, they must frequently be changed.
In the decade since, the login landscape has only grown more complex. Security threats have matured, with phishing attacks rising and growing more sophisticated. Meanwhile, password rules have become more demanding, with ever-changing requirements around special characters, capitalization, and length. Understandably, many users report feeling frustrated by the complicated rules around passwords and overwhelmed by the sheer number of usernames and passwords they have to manage.
There have been incredible innovations in authentication in recent years, but here we are in 2023, still struggling with passwords. With all their security and usability limitations, why do they have such staying power? And what might a future look like without them?
The stubborn resilience of passwords
As Okta’s Chief Information Officer, I’ve seen firsthand the resilience of passwords, even as more and more of our Okta workforce users embrace high-assurance and phishing-resistant solutions. Our customers have offered a few explanations:
- Passwords pose an accepted risk. For all their flaws, passwords today are a known entity. IT teams know how to implement and manage them. End users know how to create, recover, and reset them. For businesses who want to meet their customers and users where they are, the familiarity of passwords can outweigh their risks. They’re defensible, if imperfect.
- Alternatives are unclear. Organizations might also be unfamiliar with other approaches to authentication. Going passwordless might seem more like some future utopian state than a viable option today. And they simply may not know how to get started on a new path.
- Transformation is hard. Change always involves some friction. Migrating from a password-based authentication approach to something else would take time, engineering effort, and an evolution of user behavior. For some decision-makers, the resistance to change is just too strong.
Our path to passwordless
Despite considerations like these, at Okta we decided to embark on our own passwordless journey more than a year ago. And while we’re not 100% there yet, we’ve certainly learned some lessons along the way.
Phishing resistance has business value
With their susceptibility to phishing attacks, passwords present a constant security challenge. This can be costly for businesses like ours, which have to spend significant time and money just discovering and handling these phishing threats. In fact, the average cost of a phishing-based data breach reached $4.91 million in 2022, according to IBM.
In contrast, passwordless flows are inherently phishing resistant, because by definition there are no passwords for bad actors to intercept. Businesses can reclaim all the time and money they might otherwise have to spend mitigating phishing attacks. In other words, going passwordless can deliver real business value.
Security vs. usability is a false choice
It’s conventional wisdom that more secure authentication comes at the expense of the user experience. But by going passwordless, we’re providing a better experience for our Okta employees and customers. By removing passwords from the authentication process, we can save users time, reduce frustration, and lower login failure rates.
A forthcoming Okta report based on our own data supports these claims. Okta manages a lot of logins, and we’ve observed that when people use Okta FastPass — our phishing-resistant passwordless authenticator — to log in without a password, they can do it in less than a third of the time it would take with a password. Password-based logins at work also fail over 8% of the time, compared to just 1.6% for logins with FastPass — an 80% improvement.
Getting to 100%
We’ve made great progress on our own journey to passwordless at Okta, a journey that involves updating all of the apps and services we use to be consistent with phishing-resistant policies. These policies require end users to use at least one phishing-resistant factor, such as WebAuthn or Okta FastPass, to log in to their resources. We keep close track of our progress, and today we’re more than 80% of the way to fulfilling this critical goal.
Steps we’ve taken so far include:
- Partnering with our Security team to roll out new Zero Trust architecture (ZTA) features like Okta Devices and Okta ThreatInsight, allowing us to continually monitor the security of users and devices
- Redefining our authentication policies to use enriched signals and prioritize phishing-resistant factors
- Aligning with our Product and Engineering teams to highlight any current platform gaps that might hinder us from getting to 100% passwordless, phishing-resistant login flows
Supporting customers on their own journeys
Ultimately, we want to enable both our Okta workforce and our customers to go completely passwordless. We’re doing that with new products and solutions like Okta FastPass. And the platform improvements we’re making on our own journey to passwordless should make the path forward much easier for our customers to navigate.
We’ve added new platform features to:
- Simplify the bootstrapping of phishing-resistant credentials
- Address phishing-resistant flows across all major desktop and mobile platforms
- Continue offering a technology-neutral platform with a wide variety of partner integrations that is flexible enough to meet each customer’s passwordless requirements
We’re also developing a playbook of our Path to Passwordless that we plan to share with our customers to help inspire and guide them on their way.
Moving passwordless forward
Internally, I’ve received overwhelmingly positive feedback from our employees about our passwordless approach. They find it far more convenient, for example, to use their fingerprint with Okta FastPass to access their apps and accounts, particularly when traveling.
Biometric authentication like this can also pair well with high-assurance, phishing-resistant sign-on policies using the platform authenticator — like Touch ID, Face ID, or Windows Hello — via a standards-based Identity flow using WebAuthn or Okta FastPass, for example.
Despite the growing number of innovations like these, most Identity and Access Management solutions today are still at least partially dependent on passwords. Embracing passwordless will get easier as platform vendors and device manufacturers align on standardized flows for recovery, issuance, and non-proliferation. And consumer-centric technologies like passkeys will help further democratize the use of passwordless credentials, much like how Touch ID and Windows Hello democratized biometric authentication.
As IT leaders, we can’t be stagnant or fearful of a world without passwords. Instead, we must move on from the past, adopt new practices, and evolve. By doing so, our organizations can start enjoying the benefits of passwordless systems: better user experiences, higher productivity, lower support costs, and of course, enhanced security.
Learn more about how to go passwordless with Okta, and watch our World Password(less) Day roundtable below.