going passwordless

Whilst we may hear about tech giants, such as Google and Github, running passwordless trials, the reality for CTOs and IT Managers working in small and medium sized businesses is that the journey to enabling a passwordless organisation is often a long, expensive, and lonely one.

Creating a realistic, yet watertight, workspace security policy is complex and multi-faceted. It requires a cultural shift across all teams, investment from the organisation into new technologies and devices, and extensive training for staff to be able to make use of new security tools. 

We are beginning to see some organisations introduce elements of passwordless, such as multi-factor authentication (MFA) or Single-Sign-On (SSO) to mitigate the risk of a cyberattack. However, a significant proportion are operating with inadequate protection in place, leaving themselves vulnerable.

Weakening defences

The government’s 2023 cyber security breaches survey found that password policies in UK businesses have experienced a decline, reaching 70% in 2023 compared to 79% in 2021. This decline tells a much bigger story.

Employees are the front-line of cybersecurity defence for any organisation. As fewer businesses are prioritising best practices for password creation, this poses a much bigger question regarding the perceived importance of user security within businesses.

Research from LastPass also found that, while 65% of professionals have received some form of cybersecurity education, 62% almost always or mostly use the same or a variation of a password demonstrating the need for technology to carry some of the responsibility of keeping users secure, without adding friction to their digital experience.

The consequences for organisations neglecting cybersecurity measures can be severe. Of those that identified breaches or attacks, the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,100. This increases to £4,960 for medium and large businesses. Alongside the financial repercussions, cyberattacks can result in customer data being compromised, causing significant reputational damage and affecting customer trust and relationships.

How should organisations approach the passwordless transition?

Gartner predicts that half of workforce logins and a fifth of consumer logins will be passwordless by 2025. Yet, current progress suggests we’re a long way off achieving this. This is, in part, because passwordless is a daunting prospect for many IT leaders, especially as there’s no official blueprint of what it looks like and how it should be done.

Selecting the best tools or technologies can be overwhelming due to the varied range of solutions available. Creating a strategy to secure high risk individuals first and then working from the top down, allows businesses to create a gradual passwordless journey. A gradual approach allows for phased financial investment and ensures support at every level of the organisation, creating a cultural shift internally towards cybersecurity best practice.

Identifying the organisation’s long and short-term drivers for going passwordless and defining objectives will also help to design the roadmap with key milestones along the way. Mapping investment milestones such as device upgrades and security tool requirements will help to make going passwordless a possibility.

Milestones can include the creation of a password policy and investment into a password manager, before investing in products such as MFA identity and access management solutions (IAM) as offered by Keeper, Yubico and Okta. Once these elements are in place, businesses can start to consider passwordless and biometric security. An audit of the devices held across the business will help decision-makers to identify if machine upgrades are needed to enable the final phase of the process.

Taking steps towards the end goal

Admittedly, a fully passwordless future is not always realistic or achievable. Password management is an important part of identity strategy that IAM platforms and MFA doesn’t address. However, with the password remaining one of the weakest security methods, we can significantly reduce (if not remove altogether) the risks associated with an attack based on user credentials if we abolish it completely.

Once an organisation has identified and decided on the best route to passwordless, clear instructions and training are essential for employees to help them with the required set-up and daily processes. Introducing a deadline by which all employees should switch to the chosen passwordless solution will give both everyone a clear idea of the expectations, but make sure individuals know how they can access help and support. Open dialogue and feedback are key to a smooth transition.

However, it’s important to be realistic about the transition period and roadblocks teams may encounter on the way, which will naturally vary from organisation to organisation. While the road to a passwordless environment may not be a fast or straight-forward one, it’s one that more organisations will need to consider, and increasingly, an area in which they can’t afford to be left behind.