This IDC study provides a systematic assessment of technologies related to advanced authentication. Let's face it. The password was invented in an age before the internet and the associated open access to network assets and applications. Passwords were needed for a small number of finite uses when the strength of authentication was determined by not only the strength of the password but also the limited physical access to immobile computer assets that were in guarded on-premises client/server deployments.
Continuing to use the password for authentication unfairly shifts the responsibility for security from IT and security professionals to end users. Not only is the shift of the responsibility unfair but also unwise as the focus of end users is getting their jobs done with convenience and expediency, often trumping the need for security.
A number of viable alternatives exist to the password, alternatives that not only improve security efficacy for the organization but also provide ease-of-use benefits to end users. Those who truly own the responsibility for the security of enterprise networks, applications, and data are strongly encouraged to embrace such alternatives. Despite the sophisticated security measures that enterprises are putting in place, something as fundamentally simple as a password is tripping us up. Replacing and obsoleting passwords is an excellent approach to addressing and preventing the 63% of confirmed data breaches involved weak, default, or stolen passwords referenced by the 2016 Verizon Data Breach Investigations Report (DBIR).
"Passwords have outlived their usefulness, becoming the Achilles' heel of enterprise networks," according to Frank Dickson, research director for IDC's Identity and Access Management service. "Stronger forms of authentication are desperately needed. However, stronger alone is not sufficient. New forms of authentication need to minimize 'friction' for the user while solving the needs of the enterprise use case."