Can enterprise security go passwordless by 2025?

Frederik Mennes,

In an age where digitization and remote work have become the norm, organizations worldwide face a number of concerns surrounding dispersed workforces. The most pressing: cybersecurity.

The current state of data security should sound some alarms: 74% of all data breaches now include an element of human error, costing an average of $4.5 million globally. With basic password hygiene still not up-to-speed, it’s clear the world has not adjusted to staying secure in the era of remote work.

Dispersed workforces, coupled with the rapid digitization of business operations, demands a rethink from CISOs. For remote collaboration between employees to remain safe, the industry needs a more reliable form of authentication that eliminates traditional passwords to verify users. It’s a big reason why experts predict that more than half of the workforce and over 20% of customer authentication transactions will be passwordless by 2025. That’s a significant increase from less than 1 in 10 today.

The current threat landscape and shift to passwordless  

Today, organizations face a more threatening array of security concerns than ever before, and the average CISO faces immense pressure to safeguard the business. For instance, phishing attacks are still one of the most common and persistent methods of social engineering and account takeover schemes globally, posing significant risks even to tech giants like Facebook and Twitter.

When it comes to phishing attacks – which deceive people into clicking malicious links to provide confidential information to criminals – relying solely on e-mail security software for prevention has become a challenge. False negatives will always exist, providing cybercriminals with a way around prevention measures.

Traditional authentication such as passwords no longer offer effective protection against current threats. At the same time, more secure products like digital signatures combined with public key certificates in a public key infrastructure (PKI) often present implementation or usability challenges. In this setting, passwordless authentication emerges as a viable alternative, providing defense against evolving threats combined with enhanced usability.

Advancements in authentication methods

Passwordless authentication methods have the capability to mitigate security risks by eliminating vulnerabilities associated with password-based credentials. It’s the case because passwordless products do not rely on static passwords. Instead, they generate dynamic authentication codes that have a limited lifetime and can be used only once, or are based on unique human biometric characteristics, such as fingerprints.

Even more, the strongest forms of passwordless authentication methods offer phishing resistance, effectively guarding against phishing attacks and threats related to credential theft. This promises to reduce the risk of breaches and unauthorized access. A prime example of phishing-resistant, passwordless authentication methods are those based on the standards of the FIDO Alliance, a global industry alliance of leading authentication technology vendors.

Such authentication methods offer an extra layer of security, and also adapt to emerging threats, simultaneously meeting regulatory requirements, and reducing authentication friction for users. Consequently, they enhance the overall user experience and promote a more secure environment for business operations and critical systems that store sensitive data. In various countries, such as the United States and Australia, they also contribute to compliance – ensuring organizations stay ahead of evolving cybersecurity regulation.

Such advancements in authentication are crucial for enabling a secure, flexible remote work policy. They empower businesses to reap the benefits of the dispersed workforce, while allowing CISOs to protect their organization without compromising on business continuity or data protection.

It’s important for a CISO considering the adoption of such systems to ensure that the implemented passwordless product adheres with data privacy regulations, such as GDPR or HIPAA, especially if it’s based on biometrics, such as fingerprint scans or face scans. Failing to do so could result in legal consequences, penalties, a tarnished reputation, and eroded end-user trust. Now, passwordless methods based on biometrics can leverage the biometric authentication systems present in today’s smart phones, such as Apple Face ID and Samsung Face Recognition. These biometric authentication systems operate fully client-side, avoiding the central storage of biometric data.

Finally, it’s important to consider establishing comprehensive user education programs to ensure a smooth transition and optimal system utilization. Developing a contingency plan with alternative authentication methods is also critical to safeguard against system failures and ensure continuous operation.

Passwordless authentication has advanced in reducing the risk of breaches, allowing CISOs to build future-ready and adaptable systems for their organizations. Phishing-resistant passwordless authentication systems such as those based on FIDO standards can also eradicate the threat of phishing.

With such products, they can safeguard corporate data, resources, and the wider workforce, while enabling a flexible workforce without compromising security. This can ensure a secure and user-friendly environment for dispersed workforces for 2024 – and well beyond.

This article by Frederick Mennes was first published by SC Media on February 22, 2024.

Digipass FX1 BIO Device

DIGIPASS FX1 BIO: Phishing-resistant, passwordless authentication for a secure workforce

Protect your workforce and safeguard data and applications from attacks with our latest FIDO authenticator with fingerprint scan.

Learn more

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.