Advances in passwordless authentication technology now make it possible for organizations to enable passwordless access to their resources. Passwords are undoubtedly the weakest form of a security credential a user can use to access resources – this is universally true for both workforce and consumer applications. Businesses have struggled with passwords for years trying to figure out ways to remove or mitigate their inherent weakness. A popular approach for many organizations has been the introduction of Multi-Factor Authentication (MFA) to provide an additional layer of security to strengthen the integrity of password-based authentication.
Passwordless authentication meets the password struggle head-on by supporting the removal of passwords form many unique use cases. With smart MFA fully replacing the need for passwords, the resulting passswordless authentication provides two key benefits: exponentially stronger security for the organization and their user identities, and a much smoother user experience with the removal of change-your-password-every-30-days interruptions.
Identity is the new firewall — so identity security must be at the core of any modern cloud identity and access management solution. SecureAuth, one of the leading security players in the cloud IAM space, collaborates with organizations across multiple industries to develop, manage, and implement their access management roadmaps extending out 1-5 years. We know getting to passwordless, especially when starting with Active Directory or even Azure Active Directory infrastructure already in place, is a journey requiring the appropriate planning and execution to integrate and manage the technology in any ecosystem.
Topics covered in this post include:
- Can you realistically use passwordless for login
- Can you have MFA as part of passwordless login
- How to assess if your are ready for passwordless authentication
- Best practices for deploying passwordless login for work from home situations
Moving Beyond Passwords
Forrester estimates that 70% of organizations are still password-centric. What we know is passwords are unsecure, difficult to manage and create a poor user experience. When it comes to relying on passwords to secure your systems, applications, and data consider the following:
- The Verizon 2020 Data Breach Investigations Report identified that 80% of hacking related breaches can be attributed to either lost/stolen or weak passwords
- The SecureAuth 2020 State of Identity Report revealed that 38% of management and 70% of non-management associates do not use unique passwords to access accounts
- The Ponemon Institute study examining the financial impact of data breaches released results finding US companies on average spend $8.64 million per breach
When the pandemic forced organizations to shift their workforce to a work from home (WFH) model, many companies turned to using two-factor authentication (2FA) to strengthen their security posture. The 2FA many of the companies put in place was a one-time password (OTP) sent via SMS to the user. It made sense to utilize this form of 2FA because it can be deployed quickly, and nothing needs to be installed on the user’s phone. But this type of 2FA is risky.
OTP via SMS inherently harbors some risk – the SMS message can by intercepted by hackers and thus provide them with the passcode they need to compromise an account. NIST (National Institute of Standards and Technology) has recommend that SMS be removed as a two-factor authentication method noting while 2FA with SMS is more secure than just a password by itself, it’s still not good enough. And because of the risks, NIST is discouraging the use of SMS as an ‘out of band authenticator’ — a method for delivering a one-time passcode for multi-factor authentication.
Cyber-criminals gain access to an SMS message in a couple of ways:
- Endpoint compromise: A malicious app is placed on the user’s endpoint device (smart phone) by the bad actor and the app is able to read an out-of-band secret sent via SMS. The bad actor then uses the compromised secret passcode to authenticate and get access.
- Social engineering: An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone number to the attacker. The bad actor again uses the compromised passcode to authenticate and gain access.
In each of these instances, the security in place does not provide enough visibility to truly verify the identity of the individual utilizing the passcode and requesting access to resources. Passwordless authentication overcomes the visibility issue by leveraging advances in identity security technology to validate and verify users requesting access to resources.
Getting Started with Passwordless Authentication
Passwordless authentication is not new. The use of biometrics for authentication purposes has been in place and available for many years. And many organizations in recent years have designed policies and workflows leveraging Adaptive Authentication (contextual risk checks) along with discreet multi-factor authentication methods to achieve passwordless access for various use cases.
The emergence of promising technologies such as biometrics-based FIDO2 WebAuthn is enabling organizations to accelerate their move away from passwords to improve security as well as the user experience (UX).
The factors contributing to the development of passwordless authentication technologies include:
- Ubiquity of a portable, affordable and powerful general-purpose computing devices, the smartphone, and its use for both primary access and authentication
- Improvements in face, voice and fingerprint recognition algorithms and hardware sensors that enable biometric authentication on commonly used end-user devices (PCs, tablets and smartphones)
- Security, availability, and broad user acceptance of affordable hardware authentication tokens
Passwordless authentication in general terms is the means of authenticating a user identity without requiring a password. By utilizing passwordless authentication organizations significantly improve the user experience while also providing the security benefit of not requiring a password.
Forgotten passwords, weak or shared passwords, phishing, social engineering and brute-force attacks occur daily and create unnecessary risk for businesses and users. Cyber criminals know these attack methods work – as evidenced by the 80% statistic presented in the Verizon BDIR. Bad actors will continue to deploy these attack methods knowing the odds are in their favor to ultimately compromise an organization’s security. However, with no password there is nothing to phish, steal, or brute force away from a user making security exponentially stronger.
The following provides a brief overview from Gartner of some emerging passwordless technologies organizations are utilizing to improve security and the user experience (Is Passwordless Authentication Ready for the Enterprise? _ Dec. 2019):
- Windows Hello for Business: Introduced in 2015, WHfB provides passwordless authentication to Active Directory, Azure AD and standalone Windows machines. Out of the box WHfB supports face, iris and fingerprint recognition, and local PINs.
- FIDO: The Fido Alliance was founded in 2012 to create authentication standards to help reduce the world’s over reliance on passwords. Fido Universal Authentication Framework (UAF) and the FIDO2 specifications provide a foundation for widespread adoption of passwordless authentication technologies.
- Phone-as-a-Token: Frequently used together with passwords to support multifactor authentication (MFA), phone-as-a-token authentication recently spread to passwordless scenarios. Mobile push and mobile OTP provide best trust and UX.
- Biometric Authentication: Biometric authentication uses unique biological or behavioral traits to corroborate users’ identities. Biometric authentication has been used as an alternative to passwords for many years, but historically adoption has been low.
- Certificates and Smart Cards: Pin protected and biometric-enabled smart cards are rated high for providing trust. Smart card authentication is common in government and military applications and in regulated industries.
According to Gartner, by 2023 30% of organizations will leverage at least one form of passwordless authentication, eliminating static passwords stored, which is a major increase from today’s 5% (Passwordless Authentication Is Here and There, but Not Everywhere – Dec. 2019). The following matrix summarizes the relationships between the technologies:
Passwordless is Here to Stay
Forrester, Gartner, KuppingerCole, and a list of other analysts covering the Identity and Access Management space agree that passwordless authentication improves security and while creating a positive user experience. Use cases vary and the technology used may differ but the end result is the same – better security and improved UX.
A familiar term often used in the security world is: Identity is the New Perimeter. With workforce, partner, contractor, and customer identities wishing to access resources from anywhere at any time organizations must have a modern identity and access management solution in place to enable users securely. The threat landscape is continuously changing and protecting the business from attack starts with ensuring only the right people can gain access to valuable resources.
The job of the identity and access management team is a dynamic ongoing responsibility. Protecting the business and ensuring identity security is a top priority for IT & Business leaders while also managing other requirements such as launching new applications, managing M&A activity, on-boarding & off-boarding users, integrating systems like UEBA or threat intelligence engines, developing risk scores and more. Because integrating passwordless capabilities across multiple use cases is a journey, the time is now for security professionals to investigate how and where passwordless technology can become apart of their Identity and Access Management program.
Getting started with Passwordless and SecureAuth
The talented team at SecureAuth is a great first step to help you and your organization develop and deploy a modern identity and access management solution leveraging passwordless authentication. Our identity security experts can help your team guide your organization through the passwordless journey. We will provide the know-how, expertise, and trusted experience you need to confidently enable your workforce, contractors, partners and customers.
Even with an existing IAM solution in place, you can apply passwordless authentication. SecureAuth integrates with leading user directories including Microsoft Active Directory and Azure Active Directory to provide a robust set of passwordless login options. Connect with us to begin your passwordless journey.
The First Step is Always the Hardest – Passwordless is a Journey
Would you ever consider Username and MFA authenticator as a true 2-factor passwordless authentication?
How to Implement FIDO2 Webauthn with SecureAuth
Improving Security and Experience with Risked Based Authentication
SecureAuth Introduces Dynamic IP Blocking Technology to Prevent Password Attacks