A report from Cisco’s Duo Security found multi-factor and biometric authentication methods surged during the pandemic as enterprises adopted new security measures to support their hybrid workers.

Specifically, multi-factor authentication (MFA) increased 39% year over year while biometrics grew even faster at 48%.

These numbers reflect a growing move away from passwords in favor of lower-friction authentication methods, according to Cisco Global Advisory CISO Dave Lewis, who authored the 2021 Duo Trusted Access Report. Lewis says he likes to compare passwords to house keys.

“Yes, it has the impression of giving you secure access to your environment, but it does nothing to authenticate the person coming through the front door,” he said. “Multi-factor authentication, biometrics, and passwordless, as we move forward in time, are all ways to help streamline security and provide ability for users to be more secure while democratizing security for them. And what I mean by that is making it as easy as possible for them to log in.”

Duo, which Cisco acquired in 2018, has long championed MFA and passwordless security. Earlier this year at Cisco Live, it debuted passwordless authentication for access to cloud applications.

For the past five years, the security company has produced its Trusted Access report. And for the 2021 edition, the Duo team analyzed data from more than 36 million devices, 400,000 unique applications, and about 800 million monthly authentications from its customer base across North American, Latin America, Europe, the Middle East, and the Asia-Pacific region between June 2020 and May 31.

Employees, who may be working remotely, don’t want to worry about security, Lewis said. “They have that expectation that they will be secure,” and they expect their organizations to provide the tools to enable this but not at the user’s expense, he added. “And as we go through these results, we see that shift is, in fact, happening. We’re seeing a huge increase in the use of biometric ID on phones.”

More than 71% of Duo customer mobile phones have biometrics enabled, and the total mobile phones with biometrics grew 12% compared to last year. “Being able to use your thumbprint to log into the device is easier than remembering 72 characters,” Lewis said.

The report also includes data from a recent Cisco survey that asked 3,400 IT decision makers from 10 countries about their views on passwordless security. While respondents said security issues related to compromised credentials remain the most concerning aspect of using passwords — 46% of all respondents, and 53% of respondents whose job involves choosing security software — they also expressed concerns about passwordless security.

Their top concern involved the security of passwordless authentication methods, with 37% worrying these methods are less secure compared to passwords plus MFA. Additionally, 35% expressed concerns related to biometric data storage and 28% related to hardware cost.

In conversations he has with CISOs, Lewis says he’s seeing attitudes start to shift as they relate to biometric data storage.

“Organizations are finally waking up to the concept that your fingerprint or thumbprint is not actually stored in the database of the company,” he said. “It’s stored in a secure enclave on the device that never actually leaves the device. So they’re realizing, ‘we don’t have to worry about maintaining a repository of fingerprint data.’ That is a huge win for an organization, and it’s a huge win for the user because it makes it easier for them to get things done.”

However, concerns about the inherent safety of passwordless security are more difficult to dissuade. “It is a visceral reaction for a lot of security practitioners to say ‘I don’t like that,’” Lewis said, admitting that in the past, he’s reacted this way to new technologies.

“It’s OK to poke holes in things because that’s the nature of what we do,” Lewis said. “We want to make sure that we are trust but verify and then verify again, because we have a fiduciary responsibility to protect our organizations. If we’re not asking those questions, then we’re really doing a disservice to our organization. It’s okay to be proven wrong in a logical format.”

And the security industry as a whole needs to get better at change, he added. “We can’t just say this is a bad idea,” he said. “We have to do a better job of making sure that we are a positive change engine within our organizations.”

In terms of addressing the cost-of-hardware concern related to passwordless authentication, “if organizations have the wherewithal to buy the hardware to do that, that’s fantastic. If that is not within their realm, there are different ways to approach it with compensating controls,” Lewis said. “It’s never a case of one size fits all and definitely not about vilifying the end user because they made a different choice. We have to just make sure that we are constantly having that conversation and showing what the value proposition is” of implementing passwordless security.

Lewis noted a financial institution in the Northeastern U.S. that decided to deploy Duo across the entire enterprise. “They found they were saving over $200,000 a year simply based on the change records for passwords,” he said. “They got to the point where they streamlined the security process so they didn’t have to constantly be opening tickets.”