Commissioned by Duo Security
1 Introduction / Executive Summary
Passwords have been beyond their "sell-by" date for over twenty years and are being regularly exploited with lists of usernames and passwords being traded for a few cents on the dark-web.
Managing existing passwords within an organisation comes at a large cost to any enterprise, with figures of between $50 and $70 for a password reset; with potentially up to 80% of all help desk interaction involving a password issue.
The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it's easy to remember, it's something non-random like 'Susan.' And if it's random, like 'r7U2Qnp,' then it's not easy to remember[^1]. (Bruce Schneier)
Passwordless systems are now a viable solution to the password nightmare, where users need to remember tens (and in some cases hundreds) of passwords and if implemented correctly provide a higher level of security.
Passwordless gives us the ability to increase the trust in authentication while reducing friction; with the added benefit of giving increased confidence in the health and status of the devices accessing applications and systems as well as allowing the monitoring of access risk.
A passwordless solution also has the ability to convey identity, authentication and risk information to support other corporate initiatives such as Zero Trust and Software Defined Networking, as well as enable a modern work-from-anywhere strategy.
If successful, you end up with a modern authentication system that does not rely on users remembering passwords and is frictionless for the users - while adding substantially to the overall security posture of the organisation.