MSSP, MSP, Endpoint/Device Security, Identity, SSO/MFA, Phishing

Passwordless Momentum Grows as CISO MFA Trust Fades: Portnox Survey

Passwordless

CISO demand for passwordless verification methods is rising quickly as trust in multifactor authentication (MFA) continues to fall, according to a report released this week by Portnox.

In a survey of 200 CISOs of companies with more than $500 million in revenue, the zero-trust access control vendor found that 92% have either implemented, are implementing, or plan to implement passwordless authentication, a leap over the 70% who said the same thing last year.

At the same time, almost all respondents said they had concerns about MFA’s usability, security, or both. About 96% said MFA couldn’t address evolving threats, and 98% said it doesn’t protect employees well enough, essentially echoing the 99% who felt the same way in Portnox’s survey last year.

In addition, 58% of CISOs said that high-profile security breaches are extremely or very likely the result of compromised passwords or authentication.

MFA Security, Usability are Concerns

Passwordless methods – from biometrics and passkeys to one-time passcodes and push notifications – don't carry the same security and operational obstacles that MFA does, according to Portnox CEO Denny LeCompte.

“Attackers have evolved well beyond what traditional MFA can handle,” LeCompte told MSSP Alert. “Techniques such as MFA fatigue attacks, prompt bombing, SIM swapping, and AI-driven phishing make it far too easy to socially engineer a second factor. In a world where adversaries can convincingly mimic legitimate login flows in real time, MFA’s safety net has too many holes.”

At the same time, “MFA is disruptive, costly, and frustrating for employees,” the CEO said. “Our survey found that half of CISOs say security policies still interrupt work, and nearly as many describe them as tedious. Employees complain about frequent password changes, confusing authentication prompts, and slow issue resolution. That friction leads directly to lost productivity and risky workarounds.”

According to the survey, 41% of CISOs said passwordless methods improved employee productivity, and 39% said they enhanced the user experience. In addition, half of the CISOs said employees complained that current security measures interfered with or slowed their work.

The Argument for Digital Certificates

The Austin, Texas-based company advocates for a method that uses a digital certificate to verify the identity of users, systems, or devices before granting access to a network or application. The company’s Portnox Cloud platform uses certificates, with the CEO saying that “unlike biometrics, passkeys, or one-time codes, certificate-based authentication removes shared secrets entirely, making it inherently phishing-resistant and highly scalable across any environment.”

All of this is feeding into the ongoing years-long push for passwordless verification methods, led by such heavy hitters as Microsoft, Google, and Apple, and pushed by the FIDO Alliance, an open industry association that launched in 2013 with the goal of improving authentication standards. It’s also a global market that could reach as high as $21.2 billion by 2027, and is gaining momentum as vendors and organizations big and small embrace the technology.

Passwordless for MSSPs, MSPs

Vendors also are rolling out passwordless offerings for MSSPs and MSPs. Secret Double Octopus, which specializes in phishing-resistant passwordless methods, in September launched its ZeroPassword MSP Program, writing that “Managed Service Providers (MSPs and MSSPs) are under more pressure than ever to deliver stronger security, seamless efficiency, and better user experiences. At the same time, they’re juggling their own operational challenges.”

The vendor noted that modern threats are increasingly sophisticated, regulations are tightening, an SMBs “are expecting more from their IT providers. In the middle of all this, one thing has remained painfully consistent: Passwords remain as the weakest link.”

Secret Double Octopus’ program includes multi-tenant management, streamline deployment, shared account security, and compliance readiness.

Barriers Still Stand

That said, there are also barriers to its adoption, ranging from resistance to change from users and companies to cost and complexity of implementation, accessibility concerns, and worries about device loss or phishing attacks.

MFA – which includes methods like hardware tokens, authenticator apps, and SMS codes – was seen as a way to bolster password-based access, but malicious actors have developed ways to bypass MFA. Those techniques include adversary-in-the-middle phishing, session hijacking, SIM swapping, brute force, and MFA fatigue.

Despite that, faith in MFA continues, according to Proofpoint.

“Over the past decade ... MFA has risen to become a cornerstone of modern cybersecurity,” the cybersecurity firm wrote late last year. “However, during that time, as user authentication sophistication has improved, so have cybercriminal tactics. Just look at the rise of MFA bypass techniques. Despite the ability of attackers to get past MFA, beliefs about its near perfection persist.”

Proofpoint found that while almost half of all accounts taken over by bad actors used MFA, 89% of security professionals felt MFA was sufficient protection against account takeover threats.

Changing Attitudes

However, Portnox’s survey suggested that it is changing. Over the past year, the percentage of CISOs who said their organizations completed the implementation of passwordless technologies grew from 7% to 14%, and those planning to deploy them jumped from 38% to 52%.

LeCompte wasn’t surprised.

“The surge toward passwordless authentication was expected and ... overdue,” he said. Organizations are finally realizing that passwords and traditional MFA can’t deliver the security or usability required in today’s distributed environments.”

Given the trend seen in Portnox’s report, LeCompte expects the momentum toward passwordless to continue.

“Over the next 12 months, we’ll see more organizations move beyond pilots and hybrid MFA models toward fully passwordless ecosystems, particularly as integration across identity providers, devices, and cloud services becomes easier,” he said. 

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds