Earlier this week, Apple, Google, and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. We are excited about this announcement and applaud the players involved. It will accelerate momentum towards eliminating passwords entirely in the future. And to be a little selfish, it helps our mission at SecureAuth of providing a frictionless user experience while providing strong security to organizations. It’s great to see some of the large tech leaders get behind this transformation in how we access our digital lives – at work and at home.
This announcement extends the current capabilities to allow users to automatically access their FIDO sign-in credentials on their devices, even new ones, without having to reenroll every account. It enables users to use FIDO authentication on their mobile device to sign into an app or website on a nearby device, regardless of the OS platform or browser they are running. While this will tremendously benefit the consumer aspect of authentication (CIAM), more nuances will be figured out for workforce authentication. Also, large, complex organizations that require NIST’s AAL2 and AAL3 might not be in a position to fully leverage this model for several years. Large enterprises and government agencies will still need solutions that deliver conditional access through the use of adaptive policies backed by AI and machine learning-based behavioral modeling.
Passwords are the weakest link. Passwords are a highly insecure method of authentication and their intrinsic vulnerabilities account for 80% of all breaches. Adopting authentication methods without reliance on passwords could eliminate most of the breaches and account takeover (ATO) attacks for an enterprise.
Besides security issues, there are significant issues around revenue loss due to consumer attrition. Think of the times you faced captcha images that you could not match leading to total frustration and moving on to another app or site. Furthermore, a sizable chunk of the help desk IT costs relates to password-related issues.
Unfortunately, most organizations are still behind the curve but there is clear momentum toward the passwordless journey. According to the latest research report by ESG (Enterprise Strategy Group) and SecureAuth, Passwordless initiatives have become strategic, with 70% of organizations reporting they will start going passwordless in the next 24 months.
Passwordless is the first step towards a frictionless user digital journey. We need to go beyond and move towards continuous authentication. Once you know who the user is and their behavior, why not remove any friction. This applies to mobile, desktop, and other devices that the user is using. This is why SecureAuth treats authentication as a continuum, instead of a binary event, allowing it to defend against threat actors at all stages of their attack plan. Continuous passwordless authentication is the only way to maintain the delicate balance between the two competing objectives of IT Operations: service level speed and secure access management.
Find SecureAuth on the FIDO Alliance website for our certified products.
Passwordless is not the future, but it is here, as proven by the endorsement from some of the tech leaders. SecureAuth, along with various security thought leaders are commending this move strongly. “The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online,” commented Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency.