The real value of passwordless authentication

Earlier this year, Okta announced we’re going 100% passwordless, updating all of the apps and services our workforce uses to be consistent with phishing-resistant policies. Towards that goal, we're making great progress. Each week we analyze thousands of authentication events triggered by our workforce. And this past week, fewer than 2% of those events were password-based, making Okta, as of this writing, 98% passwordless.

We’re not alone on this passwordless journey. The drive toward passwordless authentication flows is gaining momentum across all sorts of technical and user landscapes. In fact, Forbes predicts that by the end of 2023, “80% of Fortune 500 companies will have formalized and budgeted” passwordless auth projects. But what’s motivating this movement? 

There are two major benefits to the passwordless push. The first centers on the user experience, and all of the advantages of being liberated from the password. The second involves your security posture, which can be significantly improved by eliminating passwords as an attack vector. Both benefits are substantial, but neither alone paints the full picture of why so many organizations are evolving their authentication approaches. 

The trouble with passwords: reusable, phishable, and expensive

Let’s review why the password is so problematic. First, passwords are reusable. Though a best practice is to use a password manager and store unique, complex passwords for each website and service, this fails in practice. The reuse of passwords can make a single incident more dangerous, as the breach of one vendor, or the successful phish of one website, can spread to others. Yet, password reuse is rampant. In a recent survey by Bitwarden, 84% of respondents said they reuse passwords, and more than half said they reuse them across 5 or more sites.

Second, even if we consider ourselves as rare “diligent flossers” of password hygiene, passwords remain phishable. Phishing is when an attacker uses social engineering to obtain secret user data. Person-in-the-middle attacks, brute force attacks, credential stuffing, and replay attacks are all examples of phishing attacks. Unfortunately, these risks are on the rise: according to Perception Point, phishing attacks surged 41% in the first half of 2023 over the previous six months.

Finally, and partially for the reasons outlined above, passwords are expensive to maintain. Consumers have to spend time managing their passwords and, even then, phishing can make such efforts moot. In addition, password issues, and the help desk tickets that resolve them, cause organizations big dips in workforce productivity. In fact, according to Beyond Identity, these issues are costing companies roughly $480 per employee annually.

Navigating a path to passwordless

In short, in the varied history and technology of authentication, passwords are arguably the weakest option. But will getting rid of passwords solve everything wrong with modern auth? Not quite; alternative approaches have their own limitations to consider.

For example, hoping to mitigate the risks of passwords or eliminate them from authentication flows, many organizations today require users to log in via multi-factor authentication (MFA). This is certainly a step in a more secure direction. But some types of MFA factors, like SMS messages, are not necessarily phishing resistant.

SMS has achieved global ubiquity as an authentication technology, growing increasingly common on the customer Identity side of the house. It also represents a significant improvement in Identity security compared to the password-only baseline. In the workforce however, SMS has been considered a low-assurance out-of-band authenticator for years. And since the consequences of phishing incidents can be enormous in a workforce context, authentication methods must be more robust.

So why do some organizations still allow methods like SMS? It’s the understanding that we meet our users where they are: in their own user experience and risk tolerance. MFA that involves SMS as a factor is still more secure than password-based auth alone. It just may be an acceptable interim step toward our ultimate goal—phishing resistance.

Pairing MFA with phishing resistance

A workforce implementation removing passwords but replacing them with SMS or push notifications may indeed improve the user experience. However, ensuring that a phishing-resistant factor is required for all resource access takes that security posture to a new level. 

Phishing-resistant technologies can enhance multi-factor authentication by adding an additional layer of security, compounding and reinforcing baseline MFA and inoculating the flow against phishing attacks. This can be done with mechanisms demonstrating user intent at time of access, such as requiring a biometric check to continue the authentication flow. Another common mechanism is removing the need for a shared secret by using public key cryptography. WebAuthn, built upon the FIDO2 standard, is among the most visible examples of this approach. 

Of course, it’s no small task to make phishing-resistant, passwordless technologies successful in a workforce implementation. Major administrative challenges around Identity verification, activation, and recovery of phishing-resistant credentials still remain. However, as the Identity security industry continues making major strides, there’s an exciting opportunity ahead. The implementation and operation of these technologies is leaning towards simplification. 

Looking to the future of workforce security

In the end, the user experience will drive adoption of these solutions. Consumer behavior frequently influences the technologies adopted within the enterprise, especially those pushed by device manufacturers. 

One example is passkeys. There have been (and will continue to be) gallons of ink spilled on some of the “controversies'' behind passkeys. However, their wide adoption in customer Identity will do much to improve user experience and security. And although WebAuthn passkeys complicate the workforce use case (e.g., the private keys of passkeys can be shared across devices and even shared with others), they remain a significantly more phishing-resistant solution per the FIDO Alliance. Don’t be surprised that passkeys will likely become increasingly common in workforce implementations.

As you seek to move your organization or business to passwordless technologies, be sure to keep in mind why you’re doing so. The user experience improvements can be great, and will no doubt be a boon for customer use cases. But let’s not get so hung up on rooting out passwords and enabling the passwordless experience that we lose sight of the principles we’re pursuing by removing them. “Going passwordless” is but one vehicle—phishing resistance is the destination we’re all striving toward.

If you’re just getting started on your journey towards enhanced security, we’ve created several resources to help. Dive deeper into the benefits of going passwordless with our Move Beyond Passwords whitepaper, which explores evolving user preferences and new approaches to both customer and employee authentication. For more tactical advice on leaving passwords behind via solutions like MFA, WebAuthn, and Okta FastPass, download our guide, How to Go Passwordless.