Poll shows broad support for passwordless authentication but risks fly under the radar

Passwordless authentication is a “viable concept” for more than half (54 percent) of cybersecurity experts while 79 percent agree that passwords are evolving or becoming obsolete, according to a new survey interviewing attendees of the 2023 BlackHat USA cybersecurity conference.

Biometrics has become a popular choice for protecting passwords among cybersecurity experts: The majority of respondents (73 percent) said that they use multi-factor authentication (MFA) as an additional authentication method to secure their credentials and identity, with 57 percent saying that they use an authenticator app and 40 percent opting for biometrics.

Passkeys are also gaining traction, with 21 percent of respondents saying they already use them.

The poll was conducted by California-based access management company Delinea.

The survey is hardly representative of the wider business population. Delinea interviewed 100 business hall attendees of the cybersecurity conference, held last week in Las Vegas, U.S., including security team members, executives and IT administrators. But for Delinea’s Chief Security Scientist Joseph Carson the poll shows that “passwordless” is becoming more than a marketing term with easier additional forms of authentication pushing passwords into the background.

“This takes on increased significance when 75 percent of respondents also acknowledged that the fastest way to get access to a network is through social engineering or stolen identities and passwords,” says Carson. “The quicker organizations and end users alike can evolve their identity and access security beyond passwords, the safer we’ll be as a society.”

Not everyone is satisfied with current passwordless solutions, however, with some experts warning of misconfigurations and hidden app vulnerabilities.

Speaking during the BSides meetings, organized on the sidelines of the BlackHat Conference, Aldo Salas, application security lead at Hypr, noted that some passwordless implementations can be poorly configured, cybersecurity trade publication SC Media reports.

“Passwordless is not less secure than passwords,” Salas says. “But there are vulnerabilities, and nobody is talking about them.” Following the WebAuthn specification, for example, does not guarantee the security of access credentials.

Poor coding practices are also a major reason why security flaws can be missed during vulnerability scans and software composition analysis (SCA), according to Yotam Perkal, head of vulnerability research at Rezilion.

Article Topics

biometric authentication  |  biometrics  |  consumer adoption  |  passwordless authentication  |  passwords