The future of MFA is passwordless

Secret Double Octopus and Dimensional Research surveyed over 300 IT professionals with responsibility for workforce identities and their security at organizations with more than 1,000 employees, in order to learn more about the state of workforce passwordless authentication and multi-factor authentication (MFA) usage.

Into the future with enterprise passwordless solutions

The survey isolated perceptions and adoption of newer FIDO2-certified enterprise passwordless solutions, and segregated the impact of single sign-on portal and endpoint biometric-based “passwordless-like” experiences. Passwordless-like experiences often mimic an authentication experience where no password is utilized, but retain a password and the subsequent security risk, as well as require the password to be remembered by the end-user from time to time.

FIDO2 security keys and FIDO2-compliant software solutions that leverage decentralized smartphone vaults and biometrics were defined as “next-generation passwordless” solutions.

“Workforce identity and security professionals are clear that next-gen passwordless solutions as defined in the survey have the potential to deliver stronger security outcomes than existing MFA or traditional passwordless approaches,” said Diane Hagglund, Founder and President of Dimensional Research. “This study brings clarity to confusion that exists in the market when we talk about different approaches to passwordless MFA, given that many IT professionals associate this language with a range of technologies including SSO and Touch ID.”

Key survey findings

• Only 16% of organizations use MFA across all password logins, suggesting MFA has not reached an end-to-end universality required to completely seal off the surface area of attack.
• Just 33% indicated the use of one MFA provider, with 50% having two or three providers and 17% having four or more, suggesting IT complexity when it comes to traditional MFA.
• 70% of respondents think of single sign-on (SSO) portals when thinking of passwordless, and 63% associate PC device-bound biometrics such as Windows Hello for Business as part of the passwordless trend.
• 49% indicated they currently use a next-gen passwordless solution.
• Superior end-user experience and better security coverage are the top two benefits participants felt next-gen passwordless solutions offer.

“We’re excited to really deepen the industry’s view of where newer solutions stand relative to less secure passwordless experience offerings,” said Raz Rafaeli, CEO of Secret Double Octopus. “For us, the real promise of passwordless is achieving the goal of an employee never having to set, guess or remember a password universally across all use cases they encounter in a workday. We call this full passwordless and it’s a defining design goal for us.”

Enterprise recommendations

To improve security posture, organizations should:

• Become aware of the differences between “passwordless like” solutions and newer enterprise passwordless offerings that strive to reach the promise of full passwordless
• Avoid holes in their MFA strategy by implementing MFA, preferably passwordless MFA, across all of their resources and systems
• Evaluate next-gen passwordless MFA solutions to ameliorate MFA fatigue and lower complexity of MFA management in their environment