The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Adoption of Passwordless Authentication Grows But Poor Password Practices Persist

Posted By on Oct 27, 2022

Passwords are an inexpensive and convenient form of authentication. While passwords can provide a high degree of protection, in practice they are a weak point that is commonly exploited by threat actors to gain access to internal networks and sensitive data. Brute force attacks are conducted to guess weak passwords, credential stuffing attacks succeed because people reuse passwords on multiple platforms, and employees divulge their passwords by responding to phishing emails.

Many of these attacks targeting passwords succeed because employees engage in risky password practices, such as setting easy-to-remember passwords or using the same password for multiple accounts. Businesses can take steps to eliminate these bad password practices by providing security awareness training to teach employees password best practices, enforcing password complexity rules, and providing a password manager; however, risk can only be reduced, not eliminated entirely. Employees will make mistakes, and some will circumvent the rules.

The best approach for businesses to eliminate password risks is to do away with passwords altogether and adopt passwordless authentication. Passwordless authentication is a broad term covering multiple methods of authentication, including biometrics, security keys, and specialized mobile applications. The problem for businesses is implementing passwordless authentication for an entire workforce is costly and challenging.

Half of Businesses Have Implemented Passwordless Authentication or Plan to

Bitwarden, a leading open source password manager provider, has recently published the findings from its annual password decisions survey, which shows an increasing number of businesses are embracing passwordless authentication. The survey was conducted on 800 IT decision-makers (400 Us / 400 UK) across a range of industries and revealed almost half of the respondents have either deployed or have plans to deploy passwordless technology. The main benefits of passwordless technology were seen to be improved security (41%), a better user experience (24%), increased productivity (19%) and minimizing the burden on the IT department (17%).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Out of the businesses that have started to deploy the technology, 66% have one or two user groups or multiple teams using passwordless technology, with 13% having fully adopted it across the entire organization. The most common form – implemented or being considered by 51% of businesses – is something employees are – a biometric factor such as a fingerprint, voiceprint, or facial recognition technology. 31% use or are considering something an employee has, such as a phone, security key, or FIDO authentication. 47% of respondents said FIDO2 was an important aspect of their passwordless adoption.

The most commonly stated reason for not ditching passwords is the applications the businesses use are not designed to support passwordless authentication, which was a problem for 49% of businesses that have yet to go passwordless. 39% said end users prefer passwords or are reluctant to switch, 28% said they do not have the budget, 23% said there was leadership resistance, and 21% said they had limited talent and skills to implement it.

It is likely to take some time before most businesses can go fully passwordless, and in the meantime, passwords will continue to be used. On that front, the survey confirmed that risky password practices are commonplace. While 84% of respondents said they use password management software, 54% said passwords are stored in a document on their computer, 29% write them down, and over 90% of respondents admitted to password reuse, despite being aware of the risks. 36% reuse passwords on 5-10 sites, 24% reuse passwords on up to 15 sites, and 11% reuse the same password on more than 15 sites, which demonstrates why credential stuffing attacks often succeed. Fortunately, 92% of respondents said they are using 2-factor authentication in the workplace – an increase from 88% in last year’s survey.

When questioned why they believe people are reluctant to use 2FA to add security to accounts, 48% said they do not think people are aware of the benefits, 47% said they think passwords are strong enough, and 41% said they think its because they are unlikely to get hacked, with a similar percentage saying 2FA slows down workflow.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist