Weak Passwords and the Shift Towards Passwordless Authentication

Weak passwords or compromised credentials are the most prominent security threat facing companies today, according to a recent report from 1Password, a leading password management company. Despite the growing trend towards adopting passwordless authentication solutions, password practices still pose a significant challenge. A survey of 5,200 employees and IT and security experts revealed that 44% consider employees' use of weak or compromised credentials to be the most impactful factor on security teams' ability to provide effective protection.

Employee Behavior and Cybersecurity Challenges

Employee behaviors regarding passwords show a deterioration compared to last year. Nearly two-thirds of employees admitted to reusing passwords between personal and work accounts, relying on default credentials, or even sharing passwords via email and messaging applications. Ironically, IT and security professionals sometimes adopt riskier password practices than non-technical employees; for example, 24% of IT professionals use identical passwords for work and personal accounts, compared to only 15% of non-technical employees.

Password managers: A very small percentage of employees, specifically 30% of workers and 23% of IT professionals, always use complex and unique passwords. Despite the important role password managers play in enhancing cybersecurity, only 38% of IT professionals and 26% of other workers reported that their employers provide this tool. In companies that experienced data breaches in the past three years, 50% of CISOs attributed the root cause to compromised credentials, making it the second most common reason after exploiting security vulnerabilities.

Passkeys: A Step Towards a Passwordless Future

Passkeys: The transition to a completely passwordless future represents a shared ambition for individuals and businesses, but achieving this goal is not without its challenges. Password management systems may face difficulties in maintenance and administration, even in large enterprise environments. Passkeys, which are a fundamental step towards passwordless authentication, still face hurdles to become user-friendly, convenient, and widely adopted enough to encourage more people to embrace them. Nevertheless, passkeys are gaining increasing momentum in the corporate sector, with 41% of surveyed employees adopting them where available, while 89% of security and IT experts encourage their employees to switch to them, and 25% of respondents expressed their readiness to transition to using them as soon as they become available.

The transition from traditional passwords to passkeys is not just a simple change, but a long-term strategic project that may take years for most companies. This transition requires a delicate balance between technical infrastructures, current workflows, and regulatory requirements. During this transitional phase, passwords and passkeys must coexist effectively, necessitating both methods to be secure and easy to use. As one respondent noted, "A completely passwordless environment has long been a dream for security leaders, but the complete elimination of passwords is a multi-year endeavor, and the utmost authentication security must be ensured at every stage of this transition."

1Password's Strategy for a Secure Transition to Passwordless Authentication

A systematic action plan: To achieve this security goal, 1Password presented a systematic 5-step action plan that organizations can follow to facilitate this transition successfully:

• Planning a Security Transformation Roadmap: Define clear strategies to replace weak passwords with strong ones, integrate multi-factor authentication (MFA), and advance towards passwordless authentication solutions, including passkeys.
• Providing Continuous Guidance and Support to Employees: Offer comprehensive guidance and practical support to employees to enable them to transition to using strong passwords, activate multi-factor authentication, and adopt future passwordless authentication solutions.
• Ensuring Compliance with Regulations and Standards: Ensure that compliance officers review and verify that future passwordless authentication systems fully comply with international and local regulatory standards, such as ISO, SOC 2, and GDPR rules.
• Using Enterprise Password Management Solutions: Given the continued importance of passwords during the transitional phase, adopting a centralized enterprise password manager is essential for effective control over password practices and facilitating their use by employees.
• Gradually Phasing Out High-Risk Authentication Methods: Strive to eliminate authentication methods that carry significant security risks, such as using SMS verification codes, which are susceptible to compromise.