Advances in passwordless authentication technology now make it possible for organizations to enable passwordless access to their resources. Passwords are undoubtedly the weakest form of a security credential a user can use to access resources. This is universally true for both workforce and consumer applications.
Businesses have struggled with passwords for years trying to figure out ways to remove their inherent weakness. Organizations implemented Multi-Factor Authentication (MFA) to provide an additional layer of security to strengthen the integrity of password-based authentication.
Smart MFA as a way to kill the password
Passwordless authentication meets the password struggle head-on by supporting the removal of passwords form many unique use cases. With smart MFA fully replacing the need for passwords, the resulting passwordless authentication provides two key benefits:
- Exponentially stronger security for the organization and their user identities,
- A much smoother user experience with the removal of change-your-password-every-30-days interruptions.
Identity is the new firewall — so identity security must be at the core of any modern cloud identity and access management solution. SecureAuth, one of the leading security players in the cloud IAM space, collaborates with organizations across multiple industries to develop, manage, and implement their access management roadmaps extending out 1-5 years. We know getting to passwordless, especially when starting with Active Directory or even Azure Active Directory infrastructure already in place, is a journey. This journey requires the appropriate planning and execution to integrate and manage the technology in any ecosystem.
Topics covered in this post include:
- Can you realistically use passwordless for login
- Can you have MFA as part of passwordless login
- How to assess if your are ready for passwordless authentication
- Best practices for deploying passwordless login for work from home situations
Moving Beyond Passwords
Forrester estimates that 70% of organizations are still password-centric. What we know is passwords are unsecure, difficult to manage and create a poor user experience. When it comes to relying on passwords to secure your systems, applications, and data consider the following:
- The Verizon 2020 Data Breach Investigations Report identified that 80% of hacking related breaches can be attributed to either lost/stolen or weak passwords
- The SecureAuth 2020 State of Identity Report revealed that 38% of management and 70% of non-management associates do not use unique passwords to access accounts
- The Ponemon Institute study examining the financial impact of data breaches released results finding US companies on average spend $8.64 million per breach
2FA with SMS — still better than nothing
When the pandemic forced organizations to shift their workforce to a work from home (WFH) model, many companies turned to using two-factor authentication (2FA) to strengthen their security posture. The 2FA many of the companies put in place was a one-time password (OTP) sent via SMS to the user. It made sense to utilize this form of 2FA because it can be deployed quickly, and nothing needs to be installed on the user’s phone. But this type of 2FA is risky.
OTP via SMS inherently harbors some risk. The SMS message can be intercepted by hackers and thus provide them with the passcode they need to compromise an account. NIST (National Institute of Standards and Technology) recommends that SMS be removed as a two-factor authentication method. NIST also notes that while 2FA with SMS is more secure than just a password by itself, it’s still not good enough. And because of the risks, NIST is discouraging the use of SMS as an ‘out of band authenticator’ — a method for delivering a one-time passcode for multi-factor authentication.
SMS 2FA risks are real
Cyber-criminals gain access to an SMS message in a couple of ways:
- Endpoint compromise: A bad actor installs a malicious app on the user’s endpoint device (smartphone). This app can read an out-of-band secret sent via SMS. The bad actor then uses the compromised secret passcode to authenticate and get access.
- Social engineering: An out of band secret sent via SMS is received by an attacker. The attacker previously convinced the mobile operator to redirect the victim’s mobile phone number to the attacker. The bad actor again uses the compromised passcode to authenticate and gain access.
In each of these instances, the security in place does not provide enough visibility to truly verify the identity of the individual utilizing the passcode and requesting access. Passwordless authentication overcomes the visibility issue by leveraging advances in identity security technology to validate and verify users requesting access to resources.
Getting Started with Passwordless Authentication
Passwordless authentication is not new. We have had biometrics for authentication purposes for many years. Some organizations recently designed login workflows leveraging Adaptive Authentication (contextual risk checks) along with discreet multi-factor authentication methods to achieve passwordless access for various use cases.
The emergence of user-friendly technologies such as biometrics-based FIDO2 WebAuthn is enabling organizations to move away from passwords.
The factors contributing to the development of passwordless authentication technologies include:
- Ubiquity of a portable, affordable and powerful general-purpose computing devices, the smartphone, and its use for both primary access and authentication
- Improvements in face, voice and fingerprint recognition algorithms and hardware sensors that enable biometric authentication on popular end-user devices (PCs, tablets and smartphones)
- Security, availability, and broad user acceptance of affordable hardware authentication tokens
Getting adoption through user experience
Passwordless authentication in general terms is the means of authenticating a user identity without requiring a password. By utilizing passwordless authentication organizations significantly improve the user experience while also providing the security benefit of not requiring a password.
Forgotten passwords, weak or shared passwords, phishing, social engineering and brute-force attacks occur daily and create unnecessary risk for businesses and users. Cyber criminals know these attack methods work – as evidenced by the 80% statistic presented in the Verizon BDIR. Bad actors will continue to deploy these attack methods. They know the odds are in their favor to ultimately compromise an organization’s security. However, with no password there is nothing to phish, steal, or brute force away from a user. This means stronger security.
The most promising passwordless technologies
The following provides a brief overview from Gartner of some emerging passwordless technologies organizations are utilizing to improve security and the user experience (Is Passwordless Authentication Ready for the Enterprise? Dec. 2019):
- Windows Hello for Business: Introduced in 2015, WHfB provides passwordless authentication to Active Directory, Azure AD and standalone Windows machines. Out of the box WHfB supports face, iris and fingerprint recognition, and local PINs.
- FIDO: The Fido Alliance was founded in 2012 to create authentication standards to help reduce the world’s over reliance on passwords. FIDO Universal Authentication Framework (UAF) and the FIDO2 specifications provide a foundation for widespread adoption of passwordless authentication.
- Phone-as-a-Token: Frequently used together with passwords to support multifactor authentication (MFA), phone-as-a-token authentication recently spread to passwordless scenarios. Mobile push and mobile OTP provide best trust and UX.
- Biometric Authentication: Biometric authentication uses unique biological or behavioral traits to corroborate users’ identities. Biometric authentication has been an alternative to passwords for many years, but historically adoption has been low.
- Certificates and Smart Cards: PIN protected and biometric-enabled smart cards are rated high for providing trust. Smart card authentication is common in government and military applications and in regulated industries.
Adoption rates will grow a lot, predicts Gartner
According to a 2019 report by Gartner, by 2023 30% of organizations will leverage at least one form of passwordless authentication, eliminating static passwords stored, which is a major increase from today’s 5%. The following matrix summarizes the relationships between the technologies:
Passwordless is Here to Stay
Forrester, Gartner, KuppingerCole, and other analysts covering the Identity and Access Management space agree that passwordless authentication improves security and user experience.
We often say: Identity is the New Perimeter. With workforce, partner, contractor, and customer identities wishing to sign in from anywhere, organizations need adaptable IAM solution to enable users securely. The threat landscape is continuously changing. Protecting the business from attack starts with ensuring only the right people can gain access to valuable resources.
The job of the identity and access management team is a dynamic ongoing responsibility. It involves launching new apps, managing M&A, on-boarding & off-boarding users, integrating UEBA or threat intelligence engines, developing risk scores. Integrating passwordless capabilities across multiple use cases is a journey. Security professionals must continuously investigate how and where passwordless technology can become apart of their Identity and Access Management program.
Getting started with Passwordless and SecureAuth
The talented team at SecureAuth works with customers to devise a modern cloud IAM strategy leveraging passwordless authentication. We provide the know-how you need to confidently enable your workforce, contractors, partners and customers.
Even with an existing IAM solution in place, you can apply passwordless authentication. SecureAuth integrates with leading user directories including Microsoft Active Directory and Azure Active Directory to provide a robust set of passwordless login options. Connect with us to begin your passwordless journey.
The First Step is Always the Hardest – Passwordless is a Journey
Would you ever consider Username and MFA authenticator as a true 2-factor passwordless authentication?
How to Implement FIDO2 Webauthn with SecureAuth
Improving Security and Experience with Risked Based Authentication
SecureAuth Introduces Dynamic IP Blocking Technology to Prevent Password Attacks