Despite improvements in cybersecurity, digital security breaches are as prevalent as ever. In the last month alone, data breaches have been detected at American Airlines (8,000 affected in June 27th), Mondelez (50,000 affected in June 21st), and Reddit (a ransomware attack on June 19th with a demanded payout of $4.5 million). It’s clear that threat actors are advancing and looking for weak spots and backdoors into protected systems.
Passwords represent an ever-growing vulnerability in many of our systems. Whereas in the past, passwords were small but effective checkpoints of verification, they are now overpowered by the methods of modern threat actors who can easily lift, replicate, or otherwise intercept them for the express purpose of accessing privileged information. The future of authentication seems to lie in going passwordless and eliminating the password (and other such binary forms of authentication) in most settings. Yet to some, this move seems too hasty; won’t passwordless solutions come with their own vulnerabilities and pitfalls?
In this blog, we explore the promises passwordless authentication makes, if and how it fulfills them, and any trade-offs it brings to the table. We will then describe why, in the end, passwordless authentication still proves to be more secure than passwords.
What does passwordless really mean?
After nearly a decade of development, passwordless authentication is finally a real contender in authentication. In fact, it’s rapidly becoming the only contender, with nearly every vendor touting their passwordless, Zero-Trust solution. But what is passwordless authentication (and for that matter, what is Zero-Trust)?
Passwordless authentication is a form of multi-factor authentication (MFA) that replaces something you know (passwords) with other verification factors, such as something you have (e.g. phone, watch, token), something you are (e.g. face scan, fingerprint). At, SecureAuth, we innovated adding “something you do” as a dimension of trust by using data engineering and AIML-powered behavioral modeling. Passwordless authentication is a radical shift away from using highly hackable character-comprised keys to grant access to privileged resources. With passwords gone, the number of support and help desk calls related to password resets naturally declines, and user convenience is often increased.
Zero-Trust is a security approach that proposes that all resources be secured, and no user assumed trustworthy without extensive double-checking at each request for access to resources. Zero-Trust approaches are meant to include contextual and behavioral evaluations (look at requests and requestors and assess them based on contextual and behavioral details) and operate on the principle of least privilege (PoLP), wherein users are granted the minimum possible access level necessary to complete a task or role.
Passwordless Promises and Fulfillment
In effect, a passwordless, Zero-Trust solution promises the following:
- a reduced rate of account takeover (ATO)
- a reduced number of support and help desk calls
- reduced friction for end-users
- reduced access to privileged documents other than for users that are verified
- a higher level of overall security
- a greater ROI in cybersecurity for the organization
Let’s review the trade-offs one makes when going passwordless. Notably, the list of promises passwordless solutions make does not include a reduction in friction and fatigue. It doesn’t take long to surmise that a Zero-Trust framework that “assesses every request and requestor” can quickly lead to an explosion in MFA friction and fatigue in your organization. Therefore, a potential trade-off may be the overall user experience for greater security. However, some solutions have found a way to implement a passwordless, zero-trust framework without sacrificing user experience. SecureAuth Arculix’s solution is based on behavioral cues, combining our users’ discrete habits, devices, and significant events collectively to model the behavior while also continuously monitoring the surrounding environment.
There are other risks more specific to authenticator methods. For example, a security key is not digitally replicable but can be physically stolen. OTP methods be intercepted, especially when sent through insecure mediums like SMS. However, while these concerns pose a real risk, they are easily reduced or eliminated by following best practices: OTPs should be timed, sent over secure channels, and presented in harder-to-lift forms, like QR codes rather than numeric strings; security keys can be utilized in limited cases where the risk of contact with potential thieves is low.
Finally, there are user-based barriers. The first is resistance to adoption- some users simply might feel uneasy about authentication changes. Going passwordless necessitates keeping your users abreast of all updates and walking them slowly through the new system in order to get acclimated. Explaining to users that a passwordless solution may help them spend fewer hours on the phone with the help desk might contextualize the need for all of the changes. The second barrier is legacy authentication. This includes all protocols that use basic authentication and can’t enforce any type of alternative factor authentication solutions (e.g. email protocols such as POP, SMTP, IMAP). Passwordless solution providers must work closely with IT to help develop replacements and transitions out of these legacy systems.
Overall Strength of Passwordless
We have reviewed what Passwordless solutions typically promise, what they can actually deliver, and where they run into obstacles. Despite initial reservations, much of the IAM/CIAM space has come to accept that passwordless solutions are the way forward in authentication. This is because, despite the apparent pitfalls, many of the issues with passwordless can be resolved by adhering to best practices and choosing a solution that can go above and beyond the minimum requirements of security.
Authentication has traditionally been viewed as a singular event of verifying oneself. After the initial verification, further inquiries into one’s identity are not performed on legacy platforms. Authorization is the event of verifying the access rights of a given individual. Put another way: authentication is proclaiming who’s at the door, and authorization is determining which rooms they get to go into once inside. But if we suspect our guest to not be who they say they are once inside, we don’t continue to give them free rein across the premises.
This is to say, authentication is a continuum–there’s a marked difference between accessing enterprise applications at a standard time of work, and accessing confidential work documents well after work hours. These events both require authentication and authorization, but one needs more monitoring for suspicious activity than the other.
SecureAuth Arculix: Next Generation Authentication
SecureAuth Arculix is a first-of-its-kind authentication approach, fundamentally transforming how sensitive information is protected. We evaluate users not only at the proverbial door but on-location as well. There is no other solution on the market that monitors post-authorization continuously.
Our Continuous Behavioral Authentication platform utilizes context and behavioral modeling to deliver a risk-based step-up authentication. It balances risk and friction and delivers a passwordless user experience while ensuring maximum security at levels unmatched in today’s security landscape. It does all of this while leveraging enterprise data to look for signs of abnormal behavior throughout the user session. Our technologies measure the human patterns of your users, so when they change, you know about them.
Replacing passwords with a highly secure and frictionless alternative starts with exploring passwordless authentication options. Each organization comes with its own considerations, meaning that there is no one-size-fits-all solution when it comes to passwordless authentication. Our Passwordless eBook can help clarify what are the best options for your organization’s needs.
Please contact us for a demo of our offering.