Adopting passwordless authentication -- first, make sure it's passwordless
Passwords have been under attack for a long time. Not just by data breachers, but by people writing, ad nauseum, about how passwords are an ineffective means of authentication. And yet, after years of password warnings by IT departments, and plenty of hand wringing over how passwords need to be more complex and how often people should change them, the most used passwords are easily guessable (things like Password123, 123456 and QWERTY).
Still, passwords remain in wide use today, and we are paying for it. According to the Verizon Data Breach Investigations Report (DBIR), 82 percent of data breaches are due to the "human element." Chief among this element is stolen credentials, which means passwords.
Hackers don’t want to break in; they want to login and therefore phishing attacks are still proliferating, with the aim usually being to compromise credentials. The dark web is loaded with stolen databases for sale that include people’s passwords. In fact, most security pros will tell you that, to protect yourself, you need to assume that your password has been stolen. This is compounded by things like the recent LastPass breach, where a popular password manager was breached, putting the log-in credentials of countless people at risk.
To combat the problems caused by passwords, forward-thinking companies are doing away with them altogether. They are instead adopting a passwordless strategy for authentication, using means other than passwords for end-users to prove who they are. But, "passwordless" doesn’t always mean what people think it means, so organizations have to be careful when considering this.
The reality is, most passwordless solutions still require a shared secret or a password in the background. The mechanism of authentication for the end-user might not be a password, but whatever they log in with (biometrics, a software application, hardware, etc.) is simply triggering a password stored in the system. The systems themselves say they give users a "passwordless experience," but this is a purely semantic exercise. Passwords still exist in them, and thus they don’t solve the password dilemma and the risks associated with them.
The good news is, there are "no-password" passwordless solutions. This solves the breach problem by not storing any shared secrets. There is nothing to be lost, phished or otherwise compromised. This approach eliminates most of the "human element" Verizon warns against in its DBIR -- there is nothing for people to accidentally lose, give away or re-use.
Success on the path to passwordless doesn’t only require using the correct definition, however. There are multiple considerations to consider, including:
- Is it really passwordless? -- The first step is to confirm that your solution is truly passwordless. Does it mask or simply conceal passwords, or does it eliminate them completely?
- A frictionless user experience -- Complexity is the enemy of IT and of security. Users will find a work-around if company security is too complex, which can create gaps in authentication that can leave organizations vulnerable to cyber-attacks.
- Interoperability -- Most organizations already have made some meaningful investments in Identity and Access Management (IAM) solutions. Replacing them to achieve a passwordless future doesn’t make financial sense. It’s important for passwordless solutions to be able to work with existing IAM systems to increase time-to-value.
- Adaptability -- Authentication systems should be able to work with every person, device and operating system that touches the organization. This prevents unpleasant "surprises" after deployment and helps organizations keep pace with regulatory requirements, compliance and audit reporting.
- Total authentication -- Passwordless strategies done in silos -- in a fragmented fashion, perhaps authenticating different identity types, operating systems, or use cases -- create gaps and inconsistencies that can be exploited, even in a "no password" passwordless approach. Taking a holistic approach to a passwordless strategy can eliminate these gaps and deliver to desired security and productivity benefits.
It's time to stop attacking passwords and instead move away from them. Taking a passworldess approach can accomplish this objective. But not all passwordless systems are truly passwordless, and there are other factors to consider. Doing so can make organizations more phishing resistant, less of a target for ransomware attacks and account takeovers, and closer to attaining a Zero Trust model. More importantly, companies can get a handle on the "human element" of security, which is a big win for everyone.
Bassam Al-Kahlidi is Co-CEO of Axiad IDS, Inc.