The State of Passwordless in the Enterprise
Recently, Cisco Duo sponsored a comprehensive study on Passwordless in the Enterprise led by ESG senior analyst Jack Poller. Today we will discuss the survey makeup, review key results and explain why Duo’s Passwordless technology is well positioned to meet enterprise authentication needs highlighted in the study.
In addition to this blog post, you can find more information on the study results in:
ESG’s state of Passwordless in the Enterprise ebook
ESG and Duo’s state of Passwordless in the Enterprise webinar
Study Overview
During the study, ESG asked questions of 377 security, IT, and application development professionals across a variety of company sizes and verticals, about both workforce (internal/employee) and customer (external/client) users. The study also covered multi-factor authentication, identity protections, identity risks and identity vulnerabilities experienced.
Study Findings
We’ll focus on the workforce findings:
1. Multiple account or credential compromise is the norm
This result is surprising, but it’s not entirely new. Year after year, there are countless reports that a significant number of breaches occur due to lost or stolen credentials. Cybercriminals don’t break in, they just log in. There are a variety of reasons that credentials are a perennial attack vector. Some companies don’t have budget to implement MFA, they don’t have the skills to implement it, or the solution is too complex and it negatively affects user productivity.
The writing is certainly on the wall that username and password credentials are a menace to secure environments, and moving to strong authentication is the solution. Yet, enterprises are faced with a trade-off between enabling a great user experience and deploying strong security.
Duo does not subscribe to that choice. Founded in a world-class design-led philosophy, Duo offers a great admin and user experience behind cutting edge authentication security for unmatched value.
2. Workforce authentication failures are common and MFA is still not mandatory
Duo has always focused on meeting customers where they are. Depending on the situation, authenticator options may be limited. Therefore, Duo supports a wide variety of authentication options. However, at the same time, we also enable our customers to implement the strongest multi-factor authentication (MFA) options available in the industry.
Some include Verified Duo Push with number matching, Risk-Based Authentication that steps up authentication strength based on risk signals, Trusted Endpoints to limit the scope of acceptable endpoints to known devices, or phishing-resistant factors like FIDO2 WebAuthn that is a foundational Duo Passwordless component.
3. Two-thirds of enterprises have started their workforce passwordless journey
Based on this stat, we can infer that passwordless has been beneficial to overall security efforts for most companies. Therefore, as enterprises develop plans to strengthen their security postures in the future, we can expect growth in the use of passwordless authentication.
Duo brought its Passwordless solution to market last year and has seen a steady rise in adoption and expansion from production pilots to full production in various functional groups across a broad set of verticals. Since it’s available in all product editions, all Duo customers have the capability to get started using passwordless immediately on the heels of completing their rollout plans.
4. Investment in strong authentication is growing
Top 3 “Areas expected to benefit from an increase in authentication technologies over the next 12 months.” include:
Adding or improving passwordless authentication for workforce users – 24% of enterprises
Adding or improving passwordless authentication for partners or suppliers – 18% of enterprises
Adding or improving passwordless authentication for customer users – 17% of enterprises
Duo Passwordless provides enterprises with broad options to strengthen security and improve the user experience by eliminating the use of passwords. Our Passwordless solution supports flexible authenticators including:
Passkeys that are single device bound or synced across multiple devices
Platform authenticators built into access devices
Security keys attached to access devices
Duo Push on mobile devices
With Duo Passwordless, users can log in securely with a single gesture that provides the security based on “something you have” + “something you are” factors and doesn’t rely on the plagued “something you know” factor used for password-based authentication.
There’s no time like the present for starting your passwordless journey
Weak authentication with passwords and phishable MFA is putting enterprises at risk. So many are making passwordless a high priority to enable them to benefit from the increased security and improved user experience it offers. Get more insight into key survey takeaways by reading ESG’s ebook on the state of Passwordless in the Enterprise.
Also, be sure to register for the state of Passwordless in the Enterprise webinar with Jack Poller and I on July 19th at 1:00pm EDT. Jack will discuss key result from the survey and share his extensive industry experience. I will complement his observations by highlighting why Duo is well positioned to shore up enterprise authentication needs raised in the survey, while guiding organizations on their journey to passwordless authentication.