Things to know about passwordless security: no, criminals will not cut off your thumb or peel the skin off your face to steal your biometrics and hack your network. And yes, C-suite executives always ask Wolfgang Goerlich, advisory CISO at Cisco Duo, this question.

“Everybody does,” he said. “We’ve seen so many 'Mission Impossible' movies — we know the risk. But here’s the thing: if a criminal is able to clone my biometrics, get ahold of my phone, get ahold of my computer, and bring those both into my home office, and then authenticate as me, and then only open up the applications that I normally open up during business hours, at that point I may just hire him as a contractor.”

However, while it’s highly irrational and unlikely to happen, this innate fear of losing fingers and eyeballs proves Goerlich’s point, which he hopes to hammer home during his Black Hat session about passwordless security. “What can we do from an enterprise security perspective to increase the trust in passwordless authentication? That’s what’s important right now.”

Passwordless security, at a very basic level, is any method that verifies a user or device without requiring a password. It usually involves some form of multi-factor authentication and contextual access management, and it may involve a hardware token and biometrics.

Its appeal is two-fold: Passwords aren’t user friendly or an effective form of security, Goerlich said. Users don’t like having to remember 50 unique passwords to access corporate systems and then change these passwords every three months. Meanwhile attackers can easily copy, steal, buy, or brute-force their way in. So why do we still use passwords?

There are a couple reasons for this and they involve perception as well as the technology itself. “It has taken a bit for the technology to mature,” Goerlich said. From an IT perspective, he hears “I don’t know that I necessarily trust the technology. There’s an overall perception that platform-based authentication isn’t ready. And then from the user side there are some very real privacy concerns. I don’t necessarily want my organization having my biometrics.”

At RSA Conference 2018, industry organizations adopted the FIDO2 specifications as the official web standard for passwordless authentication. This standard allows organizations that the people and devices accessing their web applications are trusted users and devices. “That standard has been out for a little over a year, and there’s still movement around the industry to adopt the standard,” Goerlich said. “So there’s the legacy concerns, but now there will be very real-world deployment of a standard.”

As with any technology, there are some early passwordless adopters. But the bulk of the organizations that Goerlich talks to are in the planning and piloting stage. “That may be the initial let me figure out how it plays into my roadmap, up to we’re conducting limited pilots with specific users or across specific use cases,” he said.

Also, he encourages CISOs to “bundle” passwordless with other zero-trust security tools such as identity and access management. “Partnering identity with passwordless is very appealing because we can establish that strong user identity with strong authentication factors without requiring more user effort. So this is a rare opportunity where it can actually reduce the amount of work that they need to do to establish that strong authentication.”