Enable the Transition to Passwordless
Relying on passwords is undoubtedly the weakest form of security an organization can use to verify a users’ identity. For years security professionals have been keeping busy managing password related policies in an effort to mitigate their underlying weakness. Implementing passwordless authentication meets the challenge head-on by simply eliminating the need for passwords. Advances in authentication technology now make it easy for security professionals to enable the high security and convenience of passwordless authentication for their users.
One great way for organizations to strengthen password-based authentication is through the deployment of Multi-factor authentication (MFA) to improve assurance and trust. Integrating passwordless workflows for various use cases does not mean MFA should go away. MFA can absolutely exist in harmony with passwordless authentication – exponentially strengthening security and improving the user experience. Utilizing a layered approach to access for users with both MFA and passwordless reduces risk and increases trust.
SecureAuth is an Identity and Access Management vendor hyper-focused on delivering the strongest identity security available. We engage with companies across multiple industries to help security teams develop and manage their access management practice. Achieving passwordless is a journey requiring the appropriate level of planning and execution to successfully integrate the unique policies and workflows necessary within an enterprise environment. Our team of experts understand the challenges and can help security professionals develop a passwordless strategy no matter where your organization is in your access management journey.
Moving Beyond Passwords
Forrester estimates that 70% of organizations are still password-centric. What we know is passwords are unsecure, difficult to manage and create a poor user experience. When it comes to relying on passwords to secure your systems, applications and data consider the following:
- The Verizon 2020 Data Breach Investigations Report identified that 81% of hacking related breaches can be attributed to either lost/stolen or weak passwords
- The SecureAuth 2020 State of Identity Report reveals 38% of management and 70% of non-management associates do not use unique passwords to access accounts
- The Ponemon Institute study examining the financial impact of data breaches released results finding US companies on average spend $8.64 million per breach
When the pandemic forced organizations to launch a work from home (WFH) initiative, many security teams implemented two-factor authentication (2FA) to strengthen their security posture. The use of a one-time password (OTP) sent via SMS to the user was a popular 2FA option many companies put in place. At the time it made sense to utilize an SMS based OTP because it can be deployed quickly and nothing needs to be installed on the user’s phone. But this type of 2FA is risky.
OTP via SMS inherently harbors some risk – the SMS message can by intercepted by hackers and thus provide them with the passcode they need to compromise an account. NIST (National Institute of Standards and Technology) has recommend that SMS be removed as a two-factor authentication method noting while 2FA with SMS is more secure than just a password by itself, but it’s still not good enough. And because of the risks, NIST is discouraging the use of SMS as an ‘out of band authenticator’ — a method for delivering a one-time passcode for multi-factor authentication.
The Evolution of Passwordless Authentication
Passwordless authentication is certainly not new. The use of biometrics for authentication purposes has been in place and available for many years. And many organizations in recent years have designed policies and workflows leveraging Adaptive Authentication (contextual risk checks) along with discreet multi-factor authentication to achieve passwordless access for various use cases. And the emergence of technologies such as FIDO2 Webauthn is enabling organizations to accelerate their move away from passwords to improve security as well as the user experience (UX).
A few factors contributing to the development of passwordless authentication technologies include:
- Ubiquity of a portable, affordable and powerful general-purpose computing devices, the smartphone, and its use for both primary access and authentication
- Improvements in face, voice and fingerprint recognition algorithms and hardware sensors that enable biometric authentication on commonly used end-user devices (PCs, tablets and smartphones)
- Security, availability and broad user acceptance of affordable hardware authentication tokens
In general terms, passwordless authentication is the means of authenticating a user identity without requiring a password. By utilizing passwordless authentication organizations significantly improve the user experience while also improving security by removing the often compromised password. Businesses are put at risk daily as a result of forgotten passwords, weak or shared passwords, phishing, social engineering and brute-force attacks. Cyber criminals rely on compromised credentials and they know their attack methods work as evidenced by the 81% statistic presented in the Verizon BDIR. The attack on credentials will continue because the methods work and bad actors know the odds are in their favor to ultimately compromise an organization’s security. However, with no password there is nothing to phish, steal, or brute force away from a user making security exponentially stronger.
Passwordless is Here to Stay
Forrester, Gartner, Kuppingercole, and a list of other analysts covering the Identity and Access Management space agree that passwordless authentication improves security and creates a positive user experience. Use cases vary and the technology used may differ but the end result is the same – better security and improved UX.
A term often used in the security world is: Identity is the New Perimeter. With workforce, partner, contractor, and customer identities wishing to access resources from anywhere at any time organizations must have a modern identity and access management solution in place to securely enable these users. Because the threat landscape is continuously changing, protecting the business and its valuable data from attack starts with ensuring only the right people or users can actually gain access to applications, portals and systems.
Identity and access management is a dynamic ongoing responsibility. Each and every day security professionals are monitoring and managing systems to ensure protection of both users and the business. Organizations need the right tools and technology to ensure their identity security is delivering the protection and experience businesses require and users expect. Now is the time for security professionals to investigate how passwordless authentication can be utilized within their Identity and Access Management program.
Getting Started with Passwordless
There is no silver bullet for launching passwordless authentication. It begins with one or two applications and a select user group… and slowly it grows and expands throughout the enterprise. A good start is to engage with SecureAuth as a first step. Our experts can work with your organization to assess your current state and develop a roadmap to reach your future state objectives. As noted previously, access management is a journey. And a modern identity and access management solution leveraging MFA, adaptive authentication and passwordless is a necessary tool security teams need to protect both the enterprise and users.
Working together we will help guide you through your passwordless journey and provide the know-how, expertise, and trusted experience you need to confidently enable your workforce, contractors, partners and customers.
Resources Related to Passwordless
- Video: Passwordless in 21 Days
- Blog: Would you ever consider username and MFA authenticator as a true 2-factor passwordless authentication?
- Blog: The First Step is Always the Hardest – Passwordless is a Journey