{"id":5740,"date":"2025-11-11T07:00:00","date_gmt":"2025-11-11T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5740"},"modified":"2025-11-11T07:00:00","modified_gmt":"2025-11-11T07:00:00","slug":"your-passwordless-future-may-never-fully-arrive","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5740","title":{"rendered":"Your passwordless future may never fully arrive"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Enterprise CISOs have been trying to move beyond passwords<\/a> for more than a decade, but have run into technical roadblocks, as many legacy systems were never designed for anything other thanpasswords.<\/p>\n

As a result, the passwordless revolution, despite its promise and the enticing premise of replacing passwords \u2014 which are becoming even easier to steal and abuse<\/a> \u2014 with biometrics, one-time passcodes, security keys, and the like, may never fully come to pass.<\/p>\n

According to a recent RSA report<\/a>, \u201cpasswordless adoption is stalling, with 90% of organizations reporting challenges due to coverage gaps and poor user experience.\u201d<\/p>\n

The challenges are many. Beyond legacy industrial systems, homegrown apps, door\/facility access systems, and IoT, even routine workgroup deployment of passwordless solutions is anything but routine. Different operating systems and specialized access requirements typically translate to enterprises needing to roll out multiple passwordless packages<\/a>, which can be expensive and time-consuming, and create operational delays and other friction. Worst of all, it can create new security holes as attackers try to slip between the cracks of those multiple passwordless systems.<\/p>\n

Security analysts and practitioners see most enterprises able to cover anywhere from 75% to 85% of their threat landscape with existing passwordless options. But that last 15%, which includes the most passwordless-resistant systems, is where the real headaches materialize.<\/p>\n

\u201cIt will be difficult to close that last 15% especially in operational technology environments with embedded systems and industrial controls,\u201dsays Will Townsend<\/a>, a VP and principal analyst at Moor Insights & Strategy. \u201cThe lift will be particularly difficult with OT, IoT, and embedded Linux. And anything in the manufacturing space.\u201d<\/p>\n

Townsend adds: \u201cThe DIY stuff, that\u2019s the oddball. The process also creates risks in terms of managing all of these disparate tools. Still, the benefits far outweigh any short-term friction that you are going to experience.\u201d<\/p>\n

Passwordless challenges and risks<\/h2>\n

Another key passwordless challenge? The myriad choices involved, perhaps too many. What kind of passwordless? FIDO2 versus biometrics? And if the choice is biometrics, which biometric \u2014 face, retina, fingerprint, vein position? All have pros and cons, and given that enterprises will require many different forms, the management effort is significant.<\/p>\n

Then there\u2019s the question of backup, in case a passwordless mechanism fails. And if the design is to fall back onto passwords, then that isn\u2019t really \u201cpasswordless,\u201d is it?\u00a0<\/p>\n

\u201cPasswordless implementations typically leave a dangerous blind spot. Passwords are still there, lurking inside the passkey enrollment and recovery flows,\u201d says Aaron Painter<\/a>, CEO of Nametag. \u201cThink of it this way: How do you really know who\u2019s enrolling or resetting a passkey? Attackers don\u2019t have to break the cryptography of passkeys. They go after the weakest link, whether it\u2019s a helpdesk call, an SMS code, or a \u2018can\u2019t access my passkey\u2019 button. By keeping both a password and a passkey, organizations multiply their attack surface.\u201d<\/p>\n

Painter adds: \u201cThe real shift to passwordless only happens when enrollment and recovery get the same phishing-resistant treatment as login, by blending modern mobile cryptography with biometrics and liveness verification.\u201d<\/p>\n

RSA\u2019s report pointed to enterprise environment complexity as potentially the biggest roadblock.<\/p>\n

\u201cComplex environments and mixed-use cases and user groups make it a challenge for organizations to deploy comprehensive passwordless. Because most organizations operate in hybrid environments and must support diverse users and use cases, identity specialists are preparing to use a diverse range of form factors to provide every user with passwordless authentication,\u201d the report says.\u00a0<\/p>\n

The RSA report added that security executives seem to be split on the reasons for passwordless deployment delays. About \u201c57% of respondents said security concerns were slowing passwordless, 56% cited concerns about user experience and 52% said a lack of complete platform support \u2014 including legacy apps and third-party systems \u2014 was the main challenge in preventing them from rolling out passwordless.\u201d<\/p>\n

All-in passwordless strategies fall short<\/h2>\n

Jim Taylor<\/a>, chief product and strategy officer at RSA, says today\u2019s enterprise environment and existing passwordless approaches make \u201c100% passwordless not possible just yet,\u201d adding that \u201c85% is possible, with the 15% representing the complicated and the very specialized\u201d needs such as \u201csecurity admins who need to log in to a door for building access halfway across the world.\u201d<\/p>\n

Enterprises that support critical infrastructure face especially difficult passwordless hurdles, Taylor notes. \u201cWith critical infrastructure, look at the old switches out there. With drilling situations, you have these mini air-gapped networks that are disconnected. Now satellites are starting to connect these things.\u201d<\/p>\n

Taylor estimated that enterprises should be able to hit 100% passwordless compliance \u201cwithin the next couple of years. Maybe it\u2019s three years to achieve that last 1%.\u201d<\/p>\n

Part of the passwordless debate focuses on ROI strategies. The proverbial gold at the end of the rainbow is having all password credentials eliminated. That means an attacker with a 12-month-old admin password from a breach of a partner company would have nothing of value. But as long as some passwords must be supported, the risk of such an attack remains.\u00a0<\/p>\n

Security practitioners disagree on how much benefit can be realized shy of achieving 100%. \u201cAny password you remove marginally improves your security posture and gives you a slight reduction in your risk profile,\u201d Taylor says.\u00a0<\/p>\n

Oleg Naumenko<\/a>, CEO of Hideez, says CISOs must think strategically when deciding the sequence of which systems to target first for their passwordless strategies.<\/p>\n

\u201cYou can\u2019t get support for all of your working technology via one technology. It\u2019s not possible. If a company begins by securing privileged users and critical systems, that alone can significantly reduce exposure. But if the rollout starts with the easiest integrations just to reach more users, the improvement will be superficial,\u201d Naumenko says. \u201cMany start by implementing passwordless access for cloud services because it\u2019s easier, while the more complex, high-risk systems remain password-dependent. I usually recommend reversing that order and starting with the most privileged users.\u201d<\/p>\n

By focusing on the users who will have the greatest impact, the progression of passwordless can go far more smoothly, Naumenko claims.\u00a0<\/p>\n

Proper sequence is critical<\/h2>\n

\u201cAdmins and engineers have the broadest access, so if passwordless works for them, scaling it to the rest of the organization becomes much simpler,\u201d says Naumenko, who recommends first assessing how each service supports passwordless SSO.<\/p>\n

\u201cMost cloud apps integrate easily via SAML or OIDC, while legacy or custom systems require a different approach,\u201d he says. \u201cThe first option is to restrict access through a VPN protected by passwordless SSO. And the more advanced option is to use a reverse proxy service that enables passwordless access directly.\u201d<\/p>\n

Or Finkelstein<\/a>, head of marketing at Secret Double Octopus, has found it effective to trick legacy systems into thinking they are being given a password, when in reality they are not.<\/p>\n

One technique his clients have used is to \u201ctake over the legacy password field and replace the user-selected password with a machine-generated ephemeral token that rotates with every authentication,\u201d he says. \u201cNow, technically speaking, that is still a password, but no human will ever see or use it,\u201d and it doesn\u2019t have the cybersecurity weaknesses of a password and can\u2019t be phished.\u00a0<\/p>\n

\u201cAs long as it\u2019s API-based authentication, it\u2019s up to us to tailor it and make it work without passwords,\u201d Finkelstein says, arguing that passwordless has become a fait accompli due to industry pressures. \u201cYou\u2019ll end up doing passwordless anyway due to compliance demands, cyber insurance requirements or a breach that will make the next guy do it.\u201d<\/p>\n

Another complicating factor for passwordless deployment involves dealing with critical equipment partners \u2014 such as POS providers for retail \u2014 who themselves have yet to embrace passwordless. If they deliver systems that still require passwords, it is sometimes difficult for enterprises to work around that.<\/p>\n

Erik Avakian<\/a>, a technical counselor at Info-Tech Research Group, equates some of the passwordless decisions to those that CISOs have done with multi-factor authentication.<\/p>\n

MFA is not a technology but a series of authentication mechanism options. Some of those options \u2014 such as FIDO2, passkeys, or even authenticator apps \u2014 are relatively robust while others, especially unencrypted SMS, are comparatively weak.\u00a0<\/p>\n

Many enterprises proudly say they support MFA but by not focusing on how robust their MFA mechanism is, they miss the point and rob their businesses of the cybersecurity protections.\u00a0<\/p>\n

The same problem exists when choosing the various authentication options within the passwordless umbrella, Avakian says. \u201cWe have to learn the lesson of MFA\u201d and not favor convenience over protection, he opines. \u201cThere is the security piece and the user experience piece.\u201d<\/p>\n

\u201cOn paper, passwordless sounds very simple, but in practice, organizations oftentimes can hit roadblocks because their environments are far more heterogeneous than they realize, or the people culture in the organization presents challenges to big changes when it comes to well-baked-in processes that have been in place for a long time,\u201dAvakian points out. \u201cIn many ways, moving towards passwordless is very much like how most organizations are approaching their efforts to move toward a zero trust model \u2014 a multi-year, multi-phase journey rather than a single flash-cut event.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Enterprise CISOs have been trying to move beyond passwords for more than a decade, but have run into technical roadblocks, as many legacy systems were never designed for anything other thanpasswords. As a result, the passwordless revolution, despite its promise and the enticing premise of replacing passwords \u2014 which are becoming even easier to steal […]<\/p>\n","protected":false},"author":0,"featured_media":5741,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5740","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5740"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5740"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5740\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5741"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}