Want Passwordless to Succeed? Make It Easy
The Promise of Passwordless
If you've been following the evolution of passwordless, you've likely read countless blog posts and whitepapers pondering the promise of this technology. The pitch is relatively simple: passwords are insecure and inconvenient, so let’s get rid of them. We shouldn’t necessarily trivialize this promise. Passwords are insecure. They provide a time-tested avenue for bad actors to compromise and gain unauthorized access. As the Verizon Data Breach perennially points out, compromised credentials play a role in the majority of breaches. Passwords are also inconvenient. Password length, complexity, and rotation requirements have only gotten more stringent in the past ten years - leading to headaches for end users and help desks alike.
Before continuing on, it should be noted that all passwordless is not the same. “Getting rid of the password” could be as simple as removing the password field and asking for username only — which is obviously highly insecure. While secure passwordless technology removes the password, it does so by replacing it with stronger factors like device identity or biometrics. If you’re interested in learning more about the technical ins and outs of passwordless, Duo’s own Jeremy Erickson has written an extensive Administrator’s Guide to Passwordless — a great resource for those looking to dive into passwordless in all its glory.
IT Administrators and End Users Are Intrigued by Passwordless
However, let’s return to the problem at hand. Just because industry thought leaders and security vendors agree on a premise (like the value of passwordless), that doesn’t mean IT decision makers or workforce end users feel ready or willing to transition to a new technology. To get to the bottom of this, Duo conducted a global survey of both IT professionals and end users to gauge their attitudes when it comes to passwords and a potential transition to passwordless. The survey covered ten countries worldwide and had thousands of respondents. The findings were quite interesting.
To start, end users are largely in agreement that passwords are inconvenient. Fifty-one percent of respondents noted that they forget and reset a password at least once a week. Furthermore, they may not always practice the most secure habits. Fifty-seven percent of respondents noted that they reuse passwords across multiple sites, and 78% of respondents create new passwords by adding a number or symbol to the end of an old password.
Perhaps more interestingly, users seem more ready for a passwordless future than you might expect. Sixty-nine percent of respondents noted that they felt comfortable using their fingerprint in place of a password to log on. Additionally, 78% of end users already use at least one device in their daily lives with biometrics enabled.
When it comes to IT decision makers, they too are officially tired of passwords. The IT respondents spent an average of an hour and 15 minutes each week dealing with password resets and issues. Nearly half of (46%) also noted compromised credentials were a top security priority for them.
It also turns out that IT decision makers eagerly await a passwordless future. Fifty-two percent of respondents are actively considering implementing passwordless in their environments today.
Chief Concerns: Deployment and End User Training
These findings clearly indicate that end users and IT decision makers are intrigued by the potential of passwordless. However, that doesn’t mean making passwordless a reality is a slam dunk. The survey also illuminated some serious concerns about transitioning away from passwords.
End users did express anxiety around their biometrics being stored and housed by private companies. It’s also true that, while 78% of end users have a device with a biometric enabled, it may not be one they can use for authentication at work — and there are still about a quarter of folks who wouldn't be able to use a biometric-based passwordless solution at all.
IT decision makers worry about the deployment of passwordless. Yes, there are potential benefits — but many have already encountered issues with passwordless authenticators integrating into their environments. Passwordless solutions that work for certain applications or devices, but not their entire environment, also posed challenges.
Passwordless Priorities at Duo
At Duo, we understand the promise and potential of passwordless to improve security and offer end users a streamlined experience. However, we’re also taking to heart the concerns of end users and IT decision makers as we develop our passwordless authentication solution. We’re not positing that every company can go fully passwordless tomorrow — that would be a huge oversimplification — but we have prioritized making it easy to take the first step.
First, we’ve ensured that our passwordless authentication is easy to set up and deploy. If passwordless is difficult or frustrating to enable, people won’t do it. It’s more than easy enough to continue with the status quo. Unless the passwordless path is relatively simple to start down and walk along, people won’t take it. At Duo, we’ve made sure that testing, deploying and maintaining passwordless in any environment is as easy as possible.
Second, we want to make it accessible for end users to understand and use. While folks may hate the idea of passwords, they’re definitely used to them. To make sure there’s minimal friction for end users, Duo will support many device types as passwordless authenticators. In addition, the enrollment process will provide easy-to-follow instructions as well as relevant information about the security and privacy properties of our passwordless solution. For example, to address concerns about companies storing fingerprints, we inform users that Duo will never store or keep a copy of their biometric. This way, end users feel comfortable making the transition to passwordless.
With each passing month, the promise of passwordless is becoming a reality. However, it’s important to remember that even though security professionals, IT administrators, and end users feel ready for passwordless, it’s our responsibility to make it easy to fulfill its promise. To learn more about Duo’s approach, explore our Passwordless solution page.
Duo’s Passwordless Authentication Resources
Explore our Administrator's Guide to Passwordless blog series
Learn more about our passwordless authentication solution
Read our white paper, Passwordless: The Future of Authentication
Watch our webinar, How Duo is Making Passwordless Progress Easier
Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy
Try Duo for Free
Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.