Enterprises continue to feel threatened in the pandemic with many feeling targeted, and this along with remote work and associated loss of productivity from password problems is driving increased adoption of passwordless technologies. Going forward organizations are extremely bullish on adopting passwordless authentication.
The purpose of this research is to understand the state of workforce passwordless authentication, the motivations and results when organizations transition to the use of passwordless authentication. Based on the experiences of organizations represented in this research, passwordless authentication can help remediate many concerns around cybersecurity posture caused by password and traditional MFA authentication approaches, sustained cyber threats and pandemic shifts to greater remote work.
Organizations that have adopted passwordless authentication say the main motivation was to improve the end-user experience and operational efficiency. The growing remote workforce also influenced these organizations’ decision to adopt passwordless authentication.
A key takeaway regarding economic efficiencies is that the use of passwordless authentication can reduce the financial consequences of attacks involving employees’ passwords and help desk costs due to password problems or resets by an average of $1,871,780 over a two-year period.
With sponsorship from Secret Double Octopus, Ponemon Institute surveyed 663 IT and IT security professionals in the United States. All respondents are familiar with their organizations’ approach to employee authentication and have some level of involvement in managing and making decisions about their organizations’ IT security strategy.
The following findings reveal the state of workforce passwordless authentication, its drivers and benefits:
- Phishing attacks are pervasive. Phishing is the number one password-based attack according to 63 percent of respondents. An average of only 44 percent of all phishing emails are detected.
- The shift to a remote workforce during the pandemic is driving the adoption of passwordless authentication. Fifty-five percent of respondents say their organizations use passwordless authentication for at least some use cases. Of these 55 percent of respondents, 79 percent say a growing remote workforce influenced passwordless adoption.
- Remote working negatively affects employees’ and help desk productivity. Another reason to adopt passwordless authentication is that 75 percent of respondents say password authentication issues because of remote working has increased employee downtime. Seventy-four percent of respondents say it has decreased the productivity and increased the stress of the help desk team.
- Organizations stand to save significant costs in both breach-related financial expenses and productivity with passwordless authentication.
- Adoption of passwordless authentication is gaining traction. Forty-five percent of respondents say their organizations exclusively use conventional passwords. However, of these respondents, 66 percent of respondents expect to adopt passwordless authentication in the next six months (33 percent), within the next year (21 percent) and within the next two years (12 percent).
Part 2. Key Findings
In this section, we provide a deeper analysis of the research findings. The complete audited findings are presented in the Appendix of this report. The findings are organized according to the following topics.
- Concern and vulnerability run high with respect to password-related cyber threats
- Remote work shifts are driving passwordless authentication adoption amidst security and productivity challenges
- Passwordless authentication cost savings totaled an average of $1.9M over 2 years per organization
- Opportunity and optimism remain high around passwordless authentication
Concern and Vulnerability Run High with Respect to Password-related Cyber Threats
The most prevalent password-based attacks are phishing. Some 63 percent of respondents say their organizations had attempted or successful phishing attacks in the past two years. However, according to the research, cybersecurity teams can detect an average of only 44 percent of phishing emails. Seventy-one percent of respondents say phishing emails and employees’ misuse of passwords is increasing the risk of a targeted and successful attack.
Organizations also experienced ransomware (57 percent of respondents) and credential stuffing or dictionary attacks (57 percent of respondents).
Remote Work Shifts Are Driving Passwordless Authentication Adoption Amidst Security and Productivity Challenges
The remote workforce is decreasing organizations’ security posture. According to 60 percent of respondents, a remote workforce reduces the security of the cloud infrastructure, makes connections to the domain less secure (56 percent) and increases the attack surface (49 percent).
The help desk is not immune from password authentication problems created by remote working. Some 74 percent of respondents say productivity has decreased and increased stress significantly (40 percent) or decreased productivity and increased stress (34 percent) of help desk workers.
Passwordless Authentication cost savings totaled an Average of $1.9M Over Two Years
Passwordless authentication significantly reduces the economic loss due to attacks involving employees’ passwords. Organizations with conventional authentication methods averaged $5.6 million in total economic loss from attacks involving employees’ passwords over the past two years vs. $4.2 million in organizations with passwordless authentication. Respondents were asked to include IT costs, downtime, lost business, damaged reputation, fines and legal fees, stolen proprietary data and ransoms paid in the total cost.
Opportunity and Optimism Remain High around Passwordless Authentication
In this section, only organizations that have adopted passwordless authentication are represented. In the context of this research, authentication is defined as the process of verifying the user’s identity by asking for a secret (e.g., password) possession of an item (e.g., USB dongle) or inherent attribute (biometrics). Passwordless authentication is any authentication method that does not require users to know their password.
Most organizations are still dependent upon traditional passwords at some level. However, 55 percent of respondents say their organizations use passwordless authentication for most or all use cases (11 percent), some use cases (19 percent) or only for specific use cases (25 percent).
Almost half of respondents rate the user experience and security of passwordless authentication far higher than conventional passwords. Respondents were asked to rate the quality of the user experience using passwordless authentication and conventional passwords on a scale from 1 = low quality to 10 = high quality. They also rated the security from 1 = low security to 10 = high security. Figure 15 shows the 7+ responses on the 10-point scale.
We found that 47 percent of respondents rate the quality of the user’s experience with passwordless authentication as high. However, only 26 percent of respondents rate the quality of conventional passwords as high.