Cisco Report Shows Shift Away from Traditional Passwords
A report published this week by Cisco’s Duo Security unit found the use of both multifactor authentication (MFA) and biometric authentication is on the rise as alternatives to passwords.
Based on an analysis of more than 36 million devices running more than 400,000 unique applications which resulted in 800 million monthly authentications, the report finds the use of MFA and biometric authentication increased 39% and 48%, respectively, on a year-over-year basis.
Dave Lewis, global advisory CISO for Cisco, said given the wide reliance on passwords to access applications, the rate of MFA and biometric authentication use appears to be increasing sharply. In fact, the report finds more than 71% of customer mobile phones running Duo software have biometric authentication enabled. The report also found a fivefold increase in web authentication (WebAuthn) to securely store authentications on a local device. The World Wide Web Consortium (W3C) first published the open standard in April 2019.
A global survey of 3,419 IT decision-makers conducted by Cisco also suggested organizations are starting to move beyond passwords. More than half of survey respondents (52%) said their organization is planning to implement a passwordless strategy. Nearly half (46%) said security issues related to compromised credentials are the most frustrating or concerning aspect of dealing with passwords.
A separate Cisco Hybrid Work Index report suggested those concerns are warranted. Fraudulent access attempts increased grew 2.4 times in the wake of the COVID-19 pandemic and remain elevated 18 months later.
Lewis said that it’s become a lot easier for organizations to move away from passwords at this point. In fact, the primary issue is culture and inertia more than any inherent complexity involved in deploying MFA or biometric authentication platforms, he said.
There’s no doubt the shift toward working from home that began with the onset of the pandemic has resulted in more organizations moving away from passwords which are relatively easy for cybercriminals to steal. Many security leaders increasingly realized that, rather than vilifying the end user for using simple passwords, it’s incumbent upon the organization to implement more robust security controls in a way that has a minimal impact on productivity, he said.
If security controls are viewed as being too cumbersome to employ, end users will simply be tempted to circumvent them whenever possible, added Lewis.
Going forward, even as the COVID-19 pandemic slowly wanes it’s clear a lot more employees will work both from home and the office. That constant shift between locations will, of course, only make it more likely that password-based credentials will be compromised, no matter how often they are changed. Most end-user passwords today are based on a variant of a core phrase that can already be easily found on the dark web.
It’s not clear just how proactive organizations will be when it comes to replacing passwords, but as the number of incidents involving stolen passwords continues to increase, passwords may soon disappear in favor of more secure options.
