Ditching passwords in favor of passwordless, phishing-resistant authentication [Q&A]
According to the FIDO (Fast Identity Online) Alliance, passwords are the root cause of more than 80 percent of data breaches. And yet, many organizations -- both big and small -- continue to use this antiquated approach to authentication. In fact, recent research from Yubico, which surveyed more than 16,000 employees across eight countries, found 59 percent of respondents still rely on usernames and passwords as their primary method of authentication.
Why do we continue to see the same old same old, especially when the authentication industry has made such significant strides in not only passwordless but also phishing-resistant authentication? We spoke with Axiad founder and co-CEO Bassam Al-Khalidi to get an answer to this question and find out how companies can make the move to a passwordless, phishing-resistant future. Read on to hear what he had to say.
BN: Why are so many organizations still using passwords, given phishing and credentials-based attacks are so common and successful?
BA: The biggest inhibitor of any type of modernization is fear of the unknown. Often IT teams will consider going passwordless but will be scared off by lingering questions, such as: 'Where do I start?,' 'How much will this cost?,' 'How complex will the passwordless process be?' and 'Will end users be on board?' Without definite answers to questions such as these, many companies aren’t brave enough to embark on a transformation of this proportion.
Another factor preventing IT teams from going passwordless is the misperception that they'll have to rip and replace existing technology and spend even more money on authentication management. Most IT teams don't even want to make this ask, and even if they do, many executives won't sign off on the request, especially in today's uncertain economic climate.
The good news here is both of these fears are unfounded. There are proven roadmaps detailing the journey to a passwordless future as well as many real-world use cases that demonstrate the value this authentication strategy can provide. Additionally, the right passwordless solutions will fortify -- rather than replace -- existing investments.
BN: Can you explain the different options organizations have when it comes to authentication?
BA: Obviously, log-in credentials, such as a username and password, are the most common and well-known type of authentication strategy. The next step in the journey is traditional multi-factor authentication (MFA), and we saw adoption of this strategy rise when the world began working from home during the COVID-19 pandemic. MFA requires users to present at least two pieces of evidence to prove their identity. The 'evidence' typically falls into something a user knows (e.g., a password) and something they have (e.g., an authentication code via text or email or mobile push notification). But, we're increasingly seeing traditional MFA just isn't enough to fend off phishing attacks from today’s advanced cybercriminals. This is because attacks like push bombing, man in the middle attacks, and social engineering can easily break down this process.
Even with MFA, hackers are still going after passwords, so we need to take the bait away from them by going passwordless. Passwordless authentication eliminates the reliance on credentials and secures all entities without passwords or shared secrets.
Finally, the industry has taken passwordless one step further with phishing-resistant authentication, which includes technologies such as Common Access Card (CAC), Personal Identity Verification (PIV) cards, certificate-based authentication (CBA), FIDO2, and Windows Hello for Business (WHfB).
BN: What does the authentication industry recommend as the best practice approach?
BA: The end goal for every organization should be a passwordless, phishing-resistant authentication strategy. While there are many options to get there, each has its pros and cons and finding the right one will take some analysis.
For example, I believe everyone in the industry would agree that FIDO passkeys are the future of passwordless authentication and possibly might be the new gold standard. However, because the technology is not generally available for the enterprise, we need to take a hybrid approach that both supports the FIDO framework and leverages methods that span use cases not currently supported by FIDO passkeys, such as CBA. CBA allows you to supplement your existing investments in IAM ecosystems and quickly move to a phishing-resistant model today. And, FIDO passkeys will help future proof your strategy and solve authentication challenges for the long term. We call this approach pragmatic phishing resistance.
BN: Can you provide a few practical steps organizations can take on their journey to passwordless?
BA: Absolutely. Here are a few best practices to consider on the journey to a passwordless, phishing-resistant future:
- Do your homework -- It's important to understand that not all passwordless solutions are created equal. A solution offering a passwordless experience is very different than a true passwordless solution. The former might hide the password or secret from the end user, but behind the scenes, the shared secret is still there and can be stolen and exploited. A true passwordless solution is what I like to call ‘no password passwordless,’ because it provides authentication without requiring a password or other shared human secret. Only this method can provide true phishing resistance.
- Build a holistic authentication strategy -- A fragmented approach to authentication won’t work. Organizations need to build a single, holistic strategy founded on an integrated authentication framework. Only when authentication technologies are working in concert can IT teams systematically authenticate across all users, machines and interactions. And, when they can master this, they then can assimilate credentials, analyze in context, automate processes, authenticate uniformly, and adapt to emerging threats more efficiently.
- Develop and follow a passwordless roadmap -- Once an organization has a goal to go passwordless, they need to outline a path to get there. And, it doesn't have to be a company-wide rollout. Many organizations take a phased approach and prioritize the departments that are at most risk when it comes to cyberattacks as a first step.
Organizations should also take care to find a platform that will help them succeed at every phase of their journey. The authentication landscape is evolving all the time, so it's important that the chosen platform is able to support business needs today while being able to easily adapt to meet the needs of tomorrow.
BN: Any other thoughts on this topic?
BA: Yes! Even though security is paramount when it comes to authentication, organizations need to make sure they are implementing it without hindering end-user productivity or organizational efficiency. If they do, employees will, no doubt, seek workarounds that will put the business at risk.
We want security to be known as a business enabler, and when IT teams are able to provide the proper balance between protection and usability, this is just what it becomes.
Image credit: Momius/depositphotos.com