05 May Passwordless Technology
Passwordless Technology – Why Should You Consider It?
Passwordless authentication means that you never have to enter a password again in everyday digital life. You can use more secure authentication options, such as the fingerprint reader, face unlocks, or push notifications that you can respond to on almost any device, from Windows to Android and iPhone. Passwordless authentication has some significant advantages, such as not having to remember complex passwords, there is less re-typing of passwords when the user mistypes them the first time, and it is safer.
As the corporate world becomes aware of the security risks associated with stolen and shared passwords, alternative security systems are coming under the spotlight. Several alternative authentication methods do not include passwords, such as hardware tokens or objects where the user verifies his identity using a biometric method or a device such as a physical feature that belongs to him (such as a thumbprint). Although these methods involve different approaches, all Passwordless authentication methods have one thing in common: the user authentication data is never stored together with the password in the system.
Passwordless authentication is the new buzzword in secure authentication and identity and access management (IAM). Passwords are the number one target for cybercriminals, according to the Verizon 2020 Data Breach Investigation Report, 8o% of the breaches involve weak or stolen passwords. Passwordless replaces the deficiencies of traditional passwords to protect IT security more effectively.
Most organizations still use traditional passwords as a central authentication method. However, Passwordless authentication methods and multifactor authentication methods will evolve. For example, please take a look at Trusona; it is a new technology that connects with different AD solutions allowing users to authenticate with QR code as an example, generated each time the user attempts to log in. Therefore the user will never have to have a password. Another example would be Yubico; they use open standards and multiple protocols to create a YubiKey, a small USB key you plug on the device you want to authenticate. It authenticates you based on your digital fingerprinting. The well-known problems with passwords should encourage companies to use IAM, MFA, and Passwordless authentication.
Industry leaders are pushing for stricter authentication standards, such as the FIDO Alliance, which promises simpler, stronger authentication and advocates the abolition of passwords. FIDO organization is developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce passwords’ reliance on authenticating users.
In general, binary authentications such as passwords, two-factor authentication (2FA), and multifactor authentication (MFA), which includes biometric data, are more vulnerable to fraud because of their binary nature. Currently, focusing on the complexity of passwords promotes the reuse of credentials, increases the total cost of ownership (TCO) associated with password resets and helpdesk calls, and does nothing to improve overall security.
Some MFA methods are more secure than others and rely on SMS tokens, but not all. Legacy MFA solutions combine the storage of a secret password, PIN, or reply with a compromised secondary device such as a smart card, hardware token, or a one-time code sent via SMS to the user’s device.
The security of a Passwordless authentication system depends on the proof of identity required in place of the password and its implementation. For example, secure push notifications from account holders are considered more secure than a password. SMS codes from mobile devices are considered less secure because SMS is an insecure communication channel, and there have been several documented attacks on SMS authentication systems.
Passwordless technology promises that it increases usability, streamlines authentication, and increases security by removing the password as a vulnerability in the authentication.
To make Passwordless technologically possible, the organization must have a solid foundation of Identity Management System. The leader in the market is Microsoft providing the platform of Identity Management that allows for interconnectivity with 3rd-party tools that enhance the end-user authentication experience. For organizations that have not yet considered Passwordless solutions, the time to look at it is now, even if you are only considering implementing it later. Future considerations might impact decisions you make now.