The authentication sector is betting on passkeys, but passwords refuse to go away
The results of the 2023 Workforce Authentication Report are out, and show employers eager to move beyond passwords and embrace passwordless authentication through biometrics or other means. But conflicting data shows that what IT leaders are saying and what companies are doing is not necessarily aligned.
The FIDO Alliance, whose advocacy for passwordless technology is a driving factor behind uptake in passkey support, partnered with the password manager company LastPass on the 2023 report, which showed 89 percent of leaders “expecting passwords to represent less than a quarter of their organization’s logins within five years or less.” Ninety-five percent have already implemented a passwordless experience, and 92 percent have “a plan to move to passwordless technology.”
Respondents agree that passkeys will increase overall security, specifically helping to reduce the volume of unofficial applications. Passkeys match two encrypted components, such as biometrics, which are stored separately on the cloud and locally on the device.
“The move towards passwordless authentication has gained steam over the past few years as an increasing number of organizations have moved to eliminate the risk and liability of passwords,” says Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Today’s report backs up this trend by illustrating that global IT leaders are rapidly aiming to reduce their reliance on legacy forms of authentication in favor of passkeys for user-friendly, phishing-resistant sign-ins.”
Face and fingerprint biometrics now an option for Apple passkey authentication
Both iOS and Android users have new passkey options for sign-in, with Apple enabling passkeys through Face ID and Touch ID authentication. A post on 9-to-5 Mac reports that with the availability of new iOS updates, Mac users can now authenticate themselves on any Apple site on the web without the need for a password. On any device running iOS 17, macOC Sonoma or iPadOS 17, a user’s Apple ID will automatically be assigned a passkey for use on iCloud and Apple sites.
A QR code option will also allow users to activate Face ID and Touch ID authentication via their iPhones for non-Apple devices.
Enpass improves security with synced passkeys for Android 14
Enpass was among the first password managers to take advantage of Apple’s new passkey capability, and is also launching passkey management for Android. The firm announced in a release that the introduction of Android 14 enables Enpass’s synced passkey technology, which can generate a passkey that allows users to log into any of their devices
Enpass promises a more personalized security setup, which allows users to select where encrypted passwords and passkeys are stored and synced, rather than defaulting to a proprietary cloud server that aggregates user vaults in one digital location, making them more vulnerable to hackers.
Enpass says its vaults can be stored in the cloud or exclusively on personal devices, syncing directly through Wi-Fi, which the company says enhances security.
Enpass says that, with its unique vault system, hackers looking to target an individual would have to select them personally (versus attacking a central server), know which cloud services you’ve chosen and the credentials for those accounts, pass MFA, and know your Enpass master password.
Passwords refuse to take the hint, remain popular
Passkeys are popping up everywhere, but a new S&P Market Intelligence report from Keeper Security says, don’t believe the hype. In a release, the cloud-based cybersecurity software provider said that, according to the S&P report, “username-password combinations are still the most widely deployed form of authentication deployed in organizations (58 percent). The next most popular forms of authentication are mobile push-based MFA (47 percent), SMS based MFA (40 percent) and biometrics (31 percent).
“Passwords continue to reign supreme as organizations struggle to balance security with simplicity, cost of ownership and flexibility – particularly in hybrid working environments,” says Darren Guccione, the CEO and co-founder of Keeper Security. “SSO and passwordless authentication – although effective – are not universally supported, and therefore create security holes that leave organizations vulnerable.”
“While passkeys present enticing security benefits, websites have been slow to support them for a variety of reasons. With more than a billion websites in existence, there is a long path ahead for any passwordless option to become ubiquitous.”
These findings aren’t totally out of line with the FIDO Alliance’s report, which, despite the avowed enthusiasm for passwordless tools, shows a majority of respondents (55 percent) feeling they need “more education on how passwordless technology works and/or how to deploy it.” Most are also still using phishable authentication methods. At 76 percent, passwords continue to dominate the rankings.