Survey: IT leaders expect resistance to passwordless security

Nowadays, facial recognition can open your iPhone and the right fingerprint will log you into your work laptop.

As our everyday devices gain non-password authenticators, however, a study from Ping Identity and Yubico finds IT leaders predict resistance to the biometric option in their organizations: While 84% of global IT leaders consider passwords “a deceptively weak way to store your data,” 97% of respondents currently without passwordless authentication predict barriers in implementing the technology, citing a lack of urgency, technical expertise, and buy-in.

“Many of these roadblocks are not technological, but cultural,” reads the report. While 93% of the 600 IT leaders surveyed said that their organization is “at least somewhat likely” to adopt passwordless authentication,88% of those without passwordless authentication believe their organization would be resistant to adopting it.

To overcome the “cultural” barriers, organizations must emphasize two ideas, according to industry pros who spoke with IT Brew: communication and ease of use.

What’s the holdup?

While passwordless options like biometrics, pins, and hardware security keys take the guessable character-string option away from the hacker, the old authenticator is difficult for companies to quit—a reality that irks Zain Malik, senior product marketing manager at Ping Identity.

“It’s kind of frustrating because there are less limitations than ever before, less barriers to entry. Our devices are now enabled with biometrics,” Malik told IT Brew. “So, it’s just a general human resistance to change.”

Take it easy

Passwordless implementation may have complicated hurdles: A thumbprint reader could be a fine option for an office worker, but not for factory-floor workers who are wearing gloves, said Malik. Legacy systems may not be ready to handle tokens.

To get buy-in from resistant humans, Terry Jost, managing director and global security and privacy segment leader at Protiviti, emphasizes the importance of keeping the authentication path simple.

“I think that the more you can make it easy for people to access their tools and their applications, then I think most people will go along with it,” said Jost.

Some organizations, to ease access, have their employees get their authentication out of the way early. Malik, for example, uses his thumbprint to log-in to his “dock” in the morning; as long as his device shows no anomalous behavior, no password is required for any other apps or programs beyond that point.

Authentication talks

A final driver for successful passwordless implementations, said Malik, is “executive sponsorship.”

A 2021 study, conducted by the Ponemon Institute and Secret Double Octopus, found that passwordless authentication saves the average organization approximately $1.9M in costs over conventional password-based authentication over two years, comparing the monetary costs of password attacks and help-desk requests.

“Nothing sells better than numbers that talk about cost savings and cost-efficiency,” said Ponemon Institute founder Larry Ponemon shortly after the paper’s release.