Lately, you may have come across the concept of passwordless systems, such as "Passkeys". From the user's perspective, this approach offers convenient and fast login experiences. Users no longer need to deal with multifactor authentication separately as it is integrated into the process. They also no longer need to search for their password in a password manager or, even worse, try to remember it. Overall, it provides a great user experience.

Companies will love this technology because it increases productivity. There's no longer a need for 'password resets,' which are estimated to waste 11 hours per year per employee. Additionally, 20% to 50% of IT staff time is currently wasted on 'password reset' calls. This is due to the fact that 78% of users forget their passwords within 90 days."

The more productive an employee can be without being distracted by password resets, invalid login attempts, and password updates, the more they can accomplish.

It can also protect companies from potential cyber-attacks, as 81% of all cyber-attacks are centered around stolen credentials. 

The reasons mentioned are compelling enough to warrant considering a transition to passwordless technology.

There is yet another reason why many of the world's largest companies are embracing the "Passwordless" approach. 

The reason is corporate liability. 

Storing passwords carries significant risks. Many organizations struggle to do it securely, and in the event of a breach, they may face legal consequences.  Around 73% of users admit to commonly "reusing passwords." This increases the potential impact or “blast radius” of password exposure during a breach. For example, if your organization's password database is breached, that data will be used in attacks known as “credential stuffing” to attack other organizations.

Simply put, a breach of your organization's passwords will likely be used to compromise other organizations. When people start examining the “root cause” of an incident, the roads might lead right back to you.

You might have already noticed a shift but not given it much thought. For instance, some websites are replacing usernames and passwords with "one-time codes" sent to your email.   This is to avoid the responsibility and liability of having to store passwords. 

These email links and one-time codes shift the security and liability to your email provider. In fact, Gmail.com is likely to do a better job of securing your account than the company you work for.

Public key cryptography allows you to log in without your company or identity provider (IdP) storing “secrets”. This is also why Passkeys are growing in popularity.    Organizations that adopt this approach no longer risk exposing "secrets" such as passwords because they no longer have them. If an attacker were to compromise your company's "Passkey" database, they would only find public keys, which are useless without the corresponding private keys.  

This mitigates the company's legal liabilities, ensuring that even if compromised, there is nothing for the attacker to “steal”.

This is why we say Key9 “doesn’t keep secrets”.