Passwords in the workplace aren’t going away anytime soon, despite ongoing efforts from the likes of Google, Microsoft, and Apple to push corporations to adopt other authentication methods like passkeys and biometrics.

Consumer technology like smartphones and personal email accounts are moving in that direction, but business environments are more complex, with legacy systems and applications, compliance issues, and the need for consistent authentication methods among the hurdles that corporations need to deal with, according to a survey released Thursday by Delinea, a privileged access management (PAM) vendor.

“Much of the story has centered on consumer passwords for websites and apps,” the authors of the report wrote. “But, as we’ve seen in the past, the adoption of new workplace solutions often trails consumer technology … [O]ur results show that passwords are evolving into something new. While passwords may never disappear completely, they will be supplemented by different, better forms of authentication. Password management still has a critical role in workplace security for the foreseeable future.”

Passwords are a Security Risk

Using passwords to authenticate users has long been seen as a weak spot in corporate cybersecurity, particularly at a time when bad actors are increasingly using stolen or hacked credentials to infiltrate networks. Users may have more than 100 accounts that require passwords and often rely on reusing passwords for multiple accounts or using weak passwords.

A Verizon report found that in 2021, 82% of security breaches were due to stolen credentials.

A growing number of IT companies have been working with the FIDO Alliance over the past several years to map out a passwordless future, with some – including Microsoft, Google, Amazon, Meta-owned WhatsApp – offering users the option of using passkeys rather than passwords to log into their accounts.

However, even FIDO understands it will take a while for passwords to disappear for good. A study conducted with password manager vendor LastPass released last month found that 89% of IT leaders expect passwords to account for less than a quarter of their companies’ logins in the next five years.

Hurdles for Password Alternatives

Delinea’s report reflects many of the same conclusions. They survey of 300 IT and cybersecurity experts in the United States found that employers waste $480 per employee every year due to password issues, that 49% of IT security professionals and 51% of individuals share passwords with colleagues to access business accounts, and only 7% are extremely confident they can transfer passwords and credentials and secure their businesses if they have to quickly fire an employee.

So there is incentive to move away from passwords. However, it will be a slow process. About 68% of those surveyed said passwords aren’t dead – with some saying they are evolving into something new, are not dead for service accounts or machine identities, or simply are becoming obsolete – while 15% percent they will never die. Only 7% said they are dead and gone.

About 30% of those surveyed said their organizations have started the transition away from passwords, while 36% said they are one to two years away. Another 21% said they are three to four years away and 33% said they will never give up passwords.

“Going passwordless doesn’t seem to make the priority list for companies right now, perhaps due to competing initiatives and changing economic conditions,” the report’s authors wrote.

Legacy systems are an issue, with 43% saying they require passwords and multifactor authentication. In addition, 37% of respondents said they need consistent authentication methods everywhere and another 28% said employees either don’t trust or don’t understand passwordless processes. In addition, 95% said compliance requirements for their companies require them to have access controls that only get more complicated if adapted to new authentication methods.

Those compliance frameworks include HIPAA, ISO 27001, HITRUST, NIST CSF, and PCI-DSS.

“Adapting to passwordless methods while remaining compliant can be complex since so many compliance frameworks call out password management requirements,” the authors wrote. “Auditors are used to looking for observable password-based controls. Even if you remove passwords from your workflow, you’ll still need to demonstrate to auditors that you’re properly authenticating users and providing them with the appropriate level of access.”

A Mix of Authentication Methods

Darren Guccione, co-founder and CEO of cybersecurity software maker Keeper Security, told Security Boulevard in an email that passwordless authentication technologies are becoming more popular and more widely available, with many organizations adopting it in some form. However, while they can improve security and the user experience, they aren’t a “wholesale password replacement.”

“Every website, native application, system and database still requires passwords at some level, even if passwordless solutions are used for convenience,” Guccione said. “The fact is that robust encryption keys cannot be generated without a password. Even single sign-on solutions require a password, at some level in the architecture, to authenticate a user.”

Richard Amper, founder and CEO of biometric authentication platform vendor Incode, is optimistic about both biometrics – such as fingerprint and facial recognition – and passkeys as password alternatives and said AI can support such efforts to protect against threat actors that may want to abuse them.

“Transitioning to a passwordless mindset may appear unconventional, as it requires users to change their habits,” Amper told Security Boulevard in an email. “However, the enhanced security and the seamless experience it offers reduce the learning curve, making the transition more user-friendly.”

Guccione said that passkeys are promising, with more websites and service providers adopting them for authentication as interest grows. However, it it will be a gradual process.

“It’s essential to recognize that passkeys might not entirely replace passwords,” he said. “Just as cash continues to coexist with digital payment methods, passwords will still have their place with certain applications and websites. In this hybrid environment, it’s critical to ensure the safe storage and use of both passkeys and traditional passwords.”