What´s Stopping the Passwordless Revolution?

A couple of years ago, security industry professionals claimed businesses were experiencing a passwordless revolution and some forecast adoption rates in excess of 90% by the end of 2022. However, according to the latest Bitwarden 2023 Password Decisions Survey, fewer than half of respondents have deployed – or now plan to deploy – passwordless technologies.

Back in 2020, Microsoft claimed that passwordless adoption would increase from 25% of businesses to 50% of businesses by the end of the year. In the same year, an Okta/IDC survey found that – globally – passwordless adoption stood at 33%, with 36% of respondents planning to implement passwordless technologies within 12 months, and a further 25% of respondents planning to do the same by the end of 2022.

Also in 2020, LastPass published the results of a survey (registration required) which claimed 92% of respondents would be “delivering a passwordless experience to end-users in the future”; while, earlier this year; a Yubico/Ping Identity survey reported that 93% of IT leaders said their organizations are likely to adopt passwordless authentication – although in both surveys no timeframe for when this might occur was given.

Has The Passwordless Revolution Ground to a Halt?

Since the declaration of the passwordless revolution, there´s not been a great deal of news about how the revolution is going. While companies like Microsoft, Okta, LastPass, and Ping Identity continue to push their passwordless solutions, nobody has issued bold, time-sensitive forecasts about when the revolution will arrive. Indeed, according to Bitwarden´s 2023 Password Decisions Survey, it may never arrive at all.

Bitwarden has been conducting insightful Password Decisions Surveys for the past couple of years, but this is the first year it has included questions about passwordless technologies – the responses to which imply the passwordless revolution has ground to a halt. Only 49% of respondents said that had deployed or plan to deploy passwordless technologies, while 37% gave the idea the thumbs down. The remainder have still not decided.

Possibly more indicative of the password revolution grinding to a halt is that, of the respondents to the Bitwarden survey who have already deployed passwordless technologies, only 13% have deployed passwordless authentication throughout the whole business. 66% have deployed it among 1-2 user groups (36%) or multiple teams (30%), while the remaining 21% are still at the proof of concept testing stage.

What´s Stopping the Passwordless Revolution?

Different industry professionals have offered different opinions about what´s stopping the passwordless revolution. LastPass found that the cost of deployment was the biggest obstacle to deployment (which is probably true if you are a LastPass business customer due to the cost of the add-ons), while Yubico/Ping Identity attribute the lack of adoption to “organizational resistance” without explaining what´s not to like about better security and user experience.

Bitwarden seems to have been surveying people who know what they are talking about judging by the responses to the question “Why has your organization not deployed passwordless?”.

  • 49% replied that the apps they were using were not designed to go passwordless
  • 39% said there was an end user preference to keep passwords
  • 28% cited the cost of deployment
  • 23% claimed leadership resistance
  • 21% lacked sufficient skills

These results make much more sense than the opinions of other industry professionals inasmuch as the percentage that said their apps were not designed to go passwordless aligns with the percentage of respondents who have not – or not yet decided to – attempt a passwordless deployment. It is also interesting that 39% of respondents said there was a user preference to keep passwords. While this might seem alarming to some business decision makers, you can read why this might be in a blog we published earlier this year – “Is FIDO Authentication as Effective as it Claims to Be?

Ultimately, it is neither 100% accurate to claim there is a passwordless revolution nor that the revolution has ground to a halt. It is simply another technology that will get adopted over time as it evolves, solutions are found to the issues associated with the technology, and businesses and end users become more accustomed to swapping usernames and passwords for security tokens, biometrics, voice recognition software, and near field communications.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news