Managing the Transition to Passwordless Authentication

Back to Blog
November 13, 2020
Paul Wiederkehr

Advances in passwordless authentication technology now make it possible for organizations to enable passwordless access to their resources. Passwords are undoubtedly the weakest form of a security credential a user can use to access resources – this is universally true for both workforce and consumer applications. Businesses have struggled with passwords for years trying to figure out ways to remove or mitigate their inherent weakness.  A popular approach for many organizations has been the introduction of Multi-Factor Authentication (MFA) to provide an additional layer of security to strengthen the integrity of password-based authentication.

Passwordless authentication meets the password struggle head-on by supporting the removal of passwords form many unique use cases. With smart MFA fully replacing the need for passwords, the resulting passswordless authentication provides two key benefits: exponentially stronger security for the organization and their user identities, and a much smoother user experience with the removal of change-your-password-every-30-days interruptions.

SecureAuth Passwordless Login Page

Identity is the new firewall — so identity security must be at the core of any modern cloud identity and access management solution. SecureAuth, one of the leading security players in the cloud IAM space, collaborates with organizations across multiple industries to develop, manage, and implement their access management roadmaps extending out 1-5 years. We know getting to passwordless, especially when starting with Active Directory or even Azure Active Directory infrastructure already in place, is a journey requiring the appropriate planning and execution to integrate and manage the technology in any ecosystem.

Topics covered in this post include:

  • Can you realistically use passwordless for login
  • Can you have MFA as part of passwordless login
  • How to assess if your are ready for passwordless authentication
  • Best practices for deploying passwordless login for work from home situations

Moving Beyond Passwords

Forrester estimates that 70% of organizations are still password-centric. What we know is passwords are unsecure, difficult to manage and create a poor user experience. When it comes to relying on passwords to secure your systems, applications, and data consider the following:

  • The Verizon 2020 Data Breach Investigations Report identified that 80% of hacking related breaches can be attributed to either lost/stolen or weak passwords
  • The SecureAuth 2020 State of Identity Report revealed that 38% of management and 70% of non-management associates do not use unique passwords to access accounts
  • The Ponemon Institute study examining the financial impact of data breaches released results finding US companies on average spend $8.64 million per breach

When the pandemic forced organizations to shift their workforce to a work from home (WFH) model, many companies turned to using two-factor authentication (2FA) to strengthen their security posture. The 2FA many of the companies put in place was a one-time password (OTP) sent via SMS to the user. It made sense to utilize this form of 2FA because it can be deployed quickly, and nothing needs to be installed on the user’s phone. But this type of 2FA is risky.

SecureAuth offers 30 MFA options, from lightweight methods such as SMS or Link-to-Accept to FIDO2 WebAuthn and digital certificates

OTP via SMS inherently harbors some risk – the SMS message can by intercepted by hackers and thus provide them with the passcode they need to compromise an account. NIST (National Institute of Standards and Technology) has recommend that SMS be removed as a two-factor authentication method noting while 2FA with SMS is more secure than just a password by itself, it’s still not good enough. And because of the risks, NIST is discouraging the use of SMS as an ‘out of band authenticator’ — a method for delivering a one-time passcode for multi-factor authentication.

Cyber-criminals gain access to an SMS message in a couple of ways:

  1. Endpoint compromise: A malicious app is placed on the user’s endpoint device (smart phone) by the bad actor and the app is able to read an out-of-band secret sent via SMS. The bad actor then uses the compromised secret passcode to authenticate and get access.
  2. Social engineering: An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone number to the attacker. The bad actor again uses the compromised passcode to authenticate and gain access.

In each of these instances, the security in place does not provide enough visibility to truly verify the identity of the individual utilizing the passcode and requesting access to resources. Passwordless authentication overcomes the visibility issue by leveraging advances in identity security technology to validate and verify users requesting access to resources.

Getting Started with Passwordless Authentication

Passwordless authentication is not new. The use of biometrics for authentication purposes has been in place and available for many years. And many organizations in recent years have designed policies and workflows leveraging Adaptive Authentication (contextual risk checks) along with discreet multi-factor authentication methods to achieve passwordless access for various use cases.

The emergence of promising technologies such as biometrics-based FIDO2 WebAuthn is enabling organizations to accelerate their move away from passwords to improve security as well as the user experience (UX).

The factors contributing to the development of passwordless authentication technologies include:

  • Ubiquity of a portable, affordable and powerful general-purpose computing devices, the smartphone, and its use for both primary access and authentication
  • Improvements in face, voice and fingerprint recognition algorithms and hardware sensors that enable biometric authentication on commonly used end-user devices (PCs, tablets and smartphones)
  • Security, availability, and broad user acceptance of affordable hardware authentication tokens

Passwordless authentication in general terms is the means of authenticating a user identity without requiring a password. By utilizing passwordless authentication organizations significantly improve the user experience while also providing the security benefit of not requiring a password.

Forgotten passwords, weak or shared passwords, phishing, social engineering and brute-force attacks occur daily and create unnecessary risk for businesses and users. Cyber criminals know these attack methods work – as evidenced by the 80% statistic presented in the Verizon BDIR. Bad actors will continue to deploy these attack methods knowing the odds are in their favor to ultimately compromise an organization’s security. However, with no password there is nothing to phish, steal, or brute force away from a user making security exponentially stronger.

The following provides a brief overview from Gartner of some emerging passwordless technologies organizations are utilizing to improve security and the user experience (Is Passwordless Authentication Ready for the Enterprise? _ Dec. 2019):

  • Windows Hello for Business: Introduced in 2015, WHfB provides passwordless authentication to Active Directory, Azure AD and standalone Windows machines. Out of the box WHfB supports face, iris and fingerprint recognition, and local PINs.
  • FIDO: The Fido Alliance was founded in 2012 to create authentication standards to help reduce the world’s over reliance on passwords. Fido Universal Authentication Framework (UAF) and the FIDO2 specifications provide a foundation for widespread adoption of passwordless authentication technologies.
  • Phone-as-a-Token: Frequently used together with passwords to support multifactor authentication (MFA), phone-as-a-token authentication recently spread to passwordless scenarios. Mobile push and mobile OTP provide best trust and UX.
  • Biometric Authentication: Biometric authentication uses unique biological or behavioral traits to corroborate users’ identities. Biometric authentication has been used as an alternative to passwords for many years, but historically adoption has been low.
  • Certificates and Smart Cards: Pin protected and biometric-enabled smart cards are rated high for providing trust. Smart card authentication is common in government and military applications and in regulated industries.

According to Gartner, by 2023 30% of organizations will leverage at least one form of passwordless authentication, eliminating static passwords stored, which is a major increase from today’s 5% (Passwordless Authentication Is Here and There, but Not Everywhere – Dec. 2019). The following matrix summarizes the relationships between the technologies:

Source: Gartner 2019

Passwordless is Here to Stay

Forrester, Gartner, KuppingerCole, and a list of other analysts covering the Identity and Access Management space agree that passwordless authentication improves security and while creating a positive user experience. Use cases vary and the technology used may differ but the end result is the same – better security and improved UX.

A familiar term often used in the security world is: Identity is the New Perimeter. With workforce, partner, contractor, and customer identities wishing to access resources from anywhere at any time organizations must have a modern identity and access management solution in place to enable users securely. The threat landscape is continuously changing and protecting the business from attack starts with ensuring only the right people can gain access to valuable resources.

The job of the identity and access management team is a dynamic ongoing responsibility. Protecting the business and ensuring identity security is a top priority for IT & Business leaders while also managing other requirements such as launching new applications, managing M&A activity, on-boarding & off-boarding users, integrating systems like UEBA or threat intelligence engines, developing risk scores and more. Because integrating passwordless capabilities across multiple use cases is a journey, the time is now for security professionals to investigate how and where passwordless technology can become apart of their Identity and Access Management program.

Getting started with Passwordless and SecureAuth

The talented team at SecureAuth is a great first step to help you and your organization develop and deploy a modern identity and access management solution leveraging passwordless authentication. Our identity security experts can help your team guide your organization through the passwordless journey. We will provide the know-how, expertise, and trusted experience you need to confidently enable your workforce, contractors, partners and customers.

Even with an existing IAM solution in place, you can apply passwordless authentication. SecureAuth integrates with leading user directories including Microsoft Active Directory and Azure Active Directory to provide a robust set of passwordless login options.  Connect with us to begin your passwordless journey.

 

Continue reading
The First Step is Always the Hardest – Passwordless is a Journey
Would you ever consider Username and MFA authenticator as a true 2-factor passwordless authentication?
How to Implement FIDO2 Webauthn with SecureAuth
Improving Security and Experience with Risked Based Authentication
SecureAuth Introduces Dynamic IP Blocking Technology to Prevent Password Attacks

 

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Careers

Contact