Passkeys won't eliminate passwords just yet

Like it or not, passwords are here to stay – despite the rise of new secure authentication methods, a new report says.

Hard to remember and easy to break, passwords have had shortcomings for many years. And despite presenting substantial security risks, most organizations will likely continue to use them in the foreseeable future, says the S&P Market Intelligence Business Impact Brief, released by Keeper Security.

Simplicity, cost, and flexibility are the reasons cited for not switching. Often, newer methods lack support from many applications, especially legacy apps, databases, protocols, and resources.

“Other options have their own challenges. Two-factor authentication (2FA) and multi-factor authentication (MFA) methods, such as hardware tokens, biometrics, and “passwordless” authentication, are more complex, may have suboptimal user experience, and can cost more,” the report reads.

A username and password combination remains the most widely deployed authentication measure, with 58% of organizations using them, the survey data shows. Passwords beat the second most widely-adopted form of authentication, mobile push-based two-factor authentification (MFA), by a substantial margin.

password statistics

Google has already announced going passwordless by default, pushing passkeys that use fingerprints, face scans, pins, and other methods to unlock devices and accounts. Passkeys are substantially easier for consumers to adopt.

Passwordless initiatives have recently gained much traction with new standards, such as FIDO2, WebAuthN, or CTAP, and tech giants' support.

“However, it is still very early in terms of enterprise adoption of passwordless; only 31% have adopted it, according to 451 Research’s Voice of the Enterprise data.”

For passkeys to become the norm, more websites must adopt them, and many site owners have little motivation to risk degrading the user experience and introducing friction that could drive consumers away. Therefore, username-password combos will remain a crucial part of the authentication landscape for the foreseeable future.

“It may take years for passwordless authentication to become dominant, so in the meantime, organizations should ensure that their users are practicing good password hygiene,” the report argues.

And passwords may not be all that bad when implemented properly, with solid password management. They’re cheap, well-understood by users, and there’s no single authenticator to replace everything.

“Depending on where they are on their authentication journey, organizations are likely to use a broad variety of authentication methods, including passwords, that are appropriate and will work in specific settings,” S&P says.