Skip to main content

2020 was a big year for the passwordless enterprise: Where is it headed to now?

password
(Image credit: Image source: Shutterstock/Ai825)

From the security dynamics of remote work to continued security breaches and phishing campaigns, 2020 was an eccentric year highlighting the skyrocketing need for better identity and authentication solutions in the business sector more than ever. As we take a look back at a year rife with a threat landscape for enterprise companies, it’s prime time to examine the advances in passwordless authentication and upcoming advances in the use of this technology to project companies from cybersecurity threats. 

The Covid-19 pandemic

From Fortune500 companies, small businesses, universities, and government agencies, the pandemic spared no industry the need to quickly restructure their operations and workflow to remote working conditions.

The problem was, these organizations were not ready for the security implications of remote work. But cybercriminals were. The global shift toward work-from-home saw a jump in social engineering campaigns and malware directed at remote workers, whose devices were no longer protected by the defenses of the corporate network.

The key target cybercriminals have sought to capitulate are user credentials, obtained through phishing attacks, trojan viruses, keyboard loggers, and other malware. User passwords give them access to cloud applications, VPNs, and other corporate assets that were previously less vulnerable to illegitimate outsiders before the pandemic.

Companies that had passwordless authentication and other strong user authentication policies in place were able to fend off most attacks. Those who relied on traditional passwords learned the hard way that a simple string of characters will not keep sophisticated criminals at bay.

The challenges of passwordless authentication 

For decades, getting rid of weak, stolen or repeated passwords, as well as the burden of securely creating and storing passwords has been the dream of IT officers at companies and government agencies. Unfortunately, until recently, passwordless authentication had remained elusive for many organizations due to technical hurdles.

For instance, one of the key problems with passwordless authentication in the past was the fragmented vendor landscape. There were several available solutions, but they were not compatible with existing company systems and were expensive as well as hard to maintain. A company that adopted a certain passwordless authentication solution would have trouble making it work on the different applications, platforms, and operating systems it was using. Integrating the same passwordless authentication solution on cloud and on-premise assets, or deploying it on hybrid networks, remained too big of a challenge. And having reliable passwordless authentication that worked in both internet-connected and offline environments was impossible.

All in all, the total cost of ownership and the technical hurdles resulted in half-baked enterprise authentication solutions that turned into a self-defeating goal and turned passwordless into a management nightmare. 

Fortunately, many of these hurdles have been overcome in the past few years thanks to innovations and collaborations between different tech companies. And these efforts will undoubtedly be reflected in large scale recognition and adoption in 2021.

The evolution of passwordless authentication

Fortunately, the field has seen some positive developments in the past year. The FIDO Alliance, the consortium that aims to address the world’s password problem, declared FIDO2 and WebAuthn, two standards that support full passwordless solutions. All main browsers as well as mobile and desktop platforms support FIDO2 and WebAuthn, which makes it much easier for consumer-facing companies to adopt passwordless authentication into their applications. 

And after years of lagging behind consumer passwordless technologies, the enterprise world is picking up pace. Passwordless employee authentication was considered impossible in large organizations until recently, due to the large number of business systems, identity platforms and edge devices involved, not to mention deploying the solution for thousands of employees across several locations. Additionally, IT managers were rightly concerned about the reliability of passwordless solutions when it came to real-world scenarios employees face such as being offline, losing a smartphone or misplacing a security dongle. But things have changed dramatically in 2020. 

Now, many developers of enterprise authentication technology have integrated the FIDO2 and WebAuthn standards into their solutions to enable better flexibility and compatibility with modern web services. Some have also developed new capabilities altogether and enable passwordless functionality on old and almost forgotten legacy systems (which still serve as critical infrastructure for many large enterprises) and integrate with all common IAM and directory services. This concerted effort has considerably lowered the entrance barrier to passwordless authentication, which is especially fortunate at a time where companies are struggling to secure their remote work infrastructure.

Partnerships between security vendors have also made it easier for enterprises to integrate passwordless authentication technologies to cater to different environments, devices, and operating systems and provide a unified and seamless experience to their users. We expect more of these integrations and partnerships to come to fruition in 2021.

Regulatory pressure

Apart from business needs, technical requirements, and end users preferences, enterprises and organizations now have a legal responsibility to conform to a set of security standards when handling digital identities and customer data.

From GDPR in Europe to CCPA in California, other similar regulations are cropping up in different areas of the world as companies face increasing pressure to make sure they prevent digital identities from being accessed and hijacked by malicious actors. And organizations that deal with sensitive data and operations, such as health and finance, have their own set of regulatory standards, such as HIPAA and PCI-DSS.

The common denominator among all these regulations is the need for strong authentication mechanisms. Many agencies, enterprises, and organizations are now legally required to implement multi-factor or passwordless authentication to avoid threats such as phishing, credential stuffing, and man-in-the-middle attacks. 

Regulations on strong authentication will probably become more stringent as we move forward, so enterprises would be wise to consider passwordless to protect their data, customers, and reputation.

Passwordless authentication in 2021

So, can we expect passwords to disappear in 2021? Probably not. We’re still going to see huge data breaches made possible by weak passwords and inefficient password policies. But the movement to eliminate passwords is real, especially in the enterprise authentication landscape, and it is gaining momentum with every passing day.

And hopefully, with the help of better and more mature solutions and industry-wide collaboration, it is easier than ever for enterprises to adopt passwordless authentication. Those who will make the smart move and join the passwordless movement will be the winners of 2021. Those who don’t will risk having their names on the feared lists of breached companies.

Shimrit Tzur-David, CTO and Co-Founder, Secret Double Octopus

Shimrit holds an MSc and PhD from the Hebrew University in Computer Science. Her research areas primarily focused on PKI, cryptography, anomaly detection, web attacks, DDoS and intrusion detection and prevention systems. During her PhD, Shimrit was a consultant for Check Point and Marvell Semiconductor, and designed an intrusion detection system product there.