RSA research predicts an AI-powered move away from passwords
The cybersecurity community doesn’t agree on much, but we can agree upon that. It seems that information security professionals also agree that passwords are hot garbage. The newly published RSA ID IQ report asked more than 2,000 cybersecurity and tech professionals, spread geographically across 62 countries, how often they have to enter their password at work—51% had to do so at least six times a day. Passwords are difficult to remember, easy for hackers to acquire, and costly for IT support to manage. But that’s just skimming the surface of the real issue with passwords: most data breaches begin with compromised credentials. According to RSA, AI could be the passwordless savior waiting in the wings to rescue us from this mess in 2025.
The Problem With Passwords
I am not one to generally agree with the Bill Gates view of the technological landscape, but I can’t argue with his logic for the death of passwords: “They just don’t meet the challenge for anything you really want to secure.” Unfortunately, that prediction was made by Gates in 2004 and passwords have yet to get the message.
The problem is that passwords simply are not working. They are overly complex, not helped by out-of-date practices such as password rotation driving regular changes for users, and rules restricting the construction of said passwords within far too rigid a framework for starters.
Although it might surprise you, coming from the chief product officer at 1Password, a leading vendor in the password management space, Steve Won, but getting rid of passwords is something most security professionals see the upside of: “Without passwords, there’s nothing to steal, making social engineering attacks like phishing ineffective,” Won said.
Paving The Path Toward No Passwords With The Help Of AI
If one message is highlighted by the RSA ID IQ report then it would appear to be that AI and passwordless are the future, and that future is arriving fast. Returning to that 51% of users needing to enter their password credentials at least six times a day, 20% said they had to enter the thing more than 11 times, it’s no wonder that this friction has enterprises looking for something better. Some 61% said that they were planning to implement a passwordless solution in 2025.
Of course, things are never quite that straightforward when it comes to enterprise security, and the RSA report asked what factors were holding people back from making a move to a world without passwords at work.
- 24% said passwordless standards weren’t mature enough for enterprises.
- 21% cited a lack of native platform support.
- 15% said they didn’t trust passwordless authentication.
- 11% said that passwordless was a consumer or personal technology.
Interestingly, a relatively small 13% of people quoted lack of budget. Which is good news for those looking to bring AI solutions into the passworldess equation. “AI solutions can enable a password-less world by eliminating the approach to identity based on what you know to who you are and what you do as a normal pattern,” Rohit Ghai, RSA chief executive officer, said.
So, for example, if a user is logging in from the same device at the same time and accessing the same resources as they always do, then they likely represent a low risk from an authentication perspective. “But if they’re suddenly logging in from a new device pinging from an unknown network at an unusual time,” Ghai said, “then AI should be able to recognize those signals, automate a response, and alert the security team.” Likewise, if an organization is seeing a spike in failed authentications on a resource that’s secured by a password, then it’s likely that they’re being hit with a password-spraying attack “and should step-up their authentication requirements.”
The Challenges Of Adopting AI For Identity Security In A World Without Passwords
While agreeing that defining what is meant by AI itself is a problem, and that the term has been significantly overhyped, Ghai said that the main challenges for adopting AI for identity security are not that different from any other domain. “As we get AI’s help to make critical decisions in identity,” Ghai said, “we will not have the luxury of knowing why it made a certain decision. We are just going to have to trust it and this trust will take some time to develop.” One thing is for sure: the end of a reliance upon insecure passwords is coming and coming sooner than many might expect., thanks to AI.
