Why the time is right for passwordless authentication [Q&A]
Although the death of passwords has been predicted for a long time, the move to other forms of authentication has until recently been glacially slow.
The shift to remote working driven by the pandemic has increased interest in securing wider networks and that has put passwordless authentication into the spotlight. We spoke to Tom Bridge, principal product manager at JumpCloud, to find out more about the technology and the benefits it offers.
BN: What is passwordless exactly?
TB: Passwordless access is what it says -- logging in or authenticating by other forms of authentication to check who someone is before letting them access something. By replacing passwords with another route, you can stop common attacks on your IT like credential stuffing, guessing passwords for accounts or social engineering them being shared. Common ways to achieve passwordless authentication include using employee devices with push authentication, smart links sent to email addresses, or a physical token. Similarly, passwordless can use biometric authentication with a fingerprint or facial recognition to prove that someone is who they say they are at a specific time and place.
It also gets over the problem of having to manage password policies where users have to regularly change their credentials regularly. This can lead to more re-use of passwords, and then to accounts being less secure over time.
Passwordless also covers the use of passkeys, which means that you can lock authentication to a specific domain. This means that users cannot be phished, which is one of the biggest issues that companies face, regardless of size. Apple has added support for passkeys, for example, helping everyone to adopt this approach.
BN: Why should companies look at this area? How does it help them?
TB: Verizon found that 61 percent of breaches that companies suffered involved credential data. Rather than software vulnerabilities or zero day holes in software that required huge amounts of skill to carry out, a lot of breaches are the equivalent of leaving a door unlocked to your house. It doesn't take much skill to take advantage of that kind of access, so bad actors will take advantage of a collected credential, just like a thief might if they came across a door with a key still in the lock..
Removing passwords and replacing them with better, more effective and secure ways to manage identity should help to solve a lot of these potential problems over time. It prevents those simple issues from leading to hackers getting network or application access and trying to find other ways to steal data or implement ransomware.
BN: Why is this area getting a lot of hype?
TB: Many companies are keen to implement zero trust security models so they can improve their defenses, and managing identities effectively is essential if you want to move to zero trust. You have to prove that you are who you say you are, and then keep that level of security in place. This will often mean some changes in how security gets implemented, and passwordless is a key element in that change.
Passwordless needs to be as simple to deploy and use as traditional passwords, or people won’t take to it or find ways around. Just saying that you are going passwordless is not a magic bullet that will magically prevent hacks from occurring. Effective implementation of passwordless authentication requires execution and training to adopt.
According to Productiv research last year, the average number of applications that a company has in place is 254. Of all those apps, only 45 percent will be used on a regular basis. Teams will use between 40 and 60 apps each, and remembering credentials for all those systems is just hard work. Deploying a password manager and single sign-on (SSO) can help your employees get smarter and faster access to their systems, and make things easier for them as well as more secure.
BN: OK, what are the practical steps that peoplee can take around this?
TB: Implementing passwordless involves three steps. First, you have to centralise your approach to authentication. Rather than relying on each application's log-in process, you put everything through a single point of control. This consolidates the number of log-ins that users have to carry out and the number of passwords that users have to remember.
Using SSO linked to one really strong and secure identity is better than having multiple applications each with their own. Similarly, using a password manager can simplify how to control access to all those applications. For businesses, tools like SSO and password managers can be managed centrally, which makes it easier to distribute access to users and groups, and to revoke user access when you need to take that access away.
Following this, you can enforce multi-factor authentication, so that users have to prove who they say they are. However, with SSO in place, they should only have to do this once. MFA is a fantastic precursor to passwordless authentication because it still has a stored password, and users grow accustomed to the verification factors typically used in passwordless authentication at the same time.
Lastly, you should look at implementing a FIDO login structure, and then how you scale this out over time. FIDO is a set of standards for secure passwordless authentication created by the FIDO Alliance, so this helps you future-proof your approach. You can start your implementation with a group of users, gather feedback and fix any perceived problems, and then roll out to more employees. This should help you scale up, but also keep things maintained.
BN: Will passwordless stop hacks from taking place?
TB: Passwordless is not a silver bullet. It will stop a lot of potential hacks, but it won't improve your overall attack surface entirely. What it will achieve is to make security easier to implement and maintain over time, it will guard against some of the easier scripted attacks that hackers can carry out, and it will prevent some of the social engineering attacks that bad actors use. You can't give out your password when you don't know it, and you can't share your authentication details. This approach fits in well alongside other security techniques like device fingerprinting and conditional access.
The biggest thing to bear in mind is that passwordless is about keeping things easy to use for your employees while making the job of getting into a company network harder for an attacker.