• United States



Don’t Make This Mistake on the Journey to Passwordless Security

Mar 31, 20214 mins

Enterprises are slowly shifting away from enterprise password use and over to more secure alternatives. But IT leaders must build a security strategy beyond these measures.

passwordless header
Credit: Cisco

Passwords have been used to gain access to computers since at least 1961, when an operating system at the Massachusetts Institute of Technology implemented the need for login credentials. Over the following decades, as threats have evolved, there have been seesaw-like reactions to adapting password tactics.

“In response to how criminals have changed their attack methods, we have encrypted passwords with ever stronger algorithms, hashed and salted them,” says Wolfgang Goerlich, Advisory CISO, Duo Security at Cisco.

Yet, the attacks continue to become more sophisticated to get around these measures. Meanwhile, employees are still using use weak logins like “12345” or “password,” and store their credentials on their desktops. In addition, many users often forget them, which is why password-reset requests are among the most common IT help desk tickets.

In recognition that the back-and-forth debate around passwords must stop, security leaders are slowly moving their organizations away from passwords and over to passwordless multi-factor authentication (MFA). However, the shift to passwordless security—while an important step in preventing threats—isn’t sufficient on its own.

The need for a comprehensive view

“There has to be consistency in how end-users authenticate and how administrators manage and protect the solutions, across hybrid and heterogenous environments,” Goerlich says. “We have to think about reducing user frustration, as well as streamlining security for our security teams.”

MFA requires two factors to login—such as an SMS text, token, or a biometric key—which is an improvement. Yet it still has limits, Goerlich says.

“Each one of these extra factors adds cognitive load and potential confusion for the individual,” he says. “As CISOs, we have to consider ways to make this consistent for users so they can develop muscle memory.”

The Zero Trust framework and adopting a Secure Access Service Edge (SASE) architecture provide a robust, connective security layer that enable organizations to provide consistent credentialing and login across hybrid IT infrastructures.

A Zero Trust approach establishes trust in every access request, no matter the user, device, or location. It balances secure access across the workforce, workloads, and the workplace, only granting access when trust is verified. It’s not a single solution, but rather a series of steps—including MFA—to address network security, application access, policy enforcement, and more.

Zero Trust and SASE work together to create a secure “bridge” across access and the edge—infrastructure including the cloud, the data center, or point of presence where traffic is secured and then forwarded. Access is predicated on identity, whether that’s an individual, device, application, or service.

The one mistake to avoid on the path to passwordless

An effective way to start down the Zero Trust and SASE path is through implementation of an MFA solution that grants passwordless authentication across all IT infrastructure.

For example, enterprises average between 100 and 300 software-as-a-service (SaaS) apps, depending on their employee base size, according to the 2020 SaaS Trends Report from Blissfully[1]. (It should be noted that this study was conducted pre-pandemic.)

So, it’s critical to protect both individuals and data in this cloudy environment. To help organizations achieve this, Duo passwordless authentication verifies users as they access cloud resources such as SaaS applications. The solution offers a consistent login experience, which ultimately increases user productivity.

“However, organizations shouldn’t make the mistake of thinking that because they’ve implemented passwordless that they’re done,” he says. “Passwordless authentication cannot be simply removing the password. It must be increasing trust and control across every authentication. That’s where Zero Trust and SASE, which align standards and practices, can help improve overall security.”

Find out more about Duo passwordless authentication. 

[1] Blissfully, October 2019,