The humble password. A pillar of society and a cybersecurity comfort blanket for end users (and IT teams) across different applications and programmes across the globe. Humanity has been using passwords in one form or another for centuries. However, the first computer passwords came about in the mid-1960s and are likely to have originated at the Massachusetts Institute of Technology in the US.
But why exactly have they been so long-standing? Within an enterprise environment, passwords are easy to implement and a relatively low-cost security measure which previously provided a solid layer of protection against threats. However, as the sophistication of threats continues to increase, so must the robustness of our defences – and passwords are firmly in the firing line.
Passwords are no longer fit for purpose
As cyberattacks are becoming increasingly difficult to recover from, IT teams have rightly had to crack down on all cybersecurity measures, including password security. This requires users to come up with increasingly complex passwords that usually specify a minimum number of characters and the inclusion of special characters such as exclamation marks (!), hashtags (#) or @ symbols. These make life interesting for end users, as they are always super easy to enter on a mobile device as they switch through all the different keyboards.
Sadly, what started out as a simple but effective security measure, is fast becoming too great of an ask for many end users. Data suggests that in 2020, the average consumer had to create and manage around 100 passwords. Combined with the spiralling complexity requirements, this process is becoming unsustainable for the majority of end users, who are likely to resort to insecure conduct to cope. This may include physically writing passwords down, using the same password across various platforms and or using simple and predictable passwords. All of which undermine the legitimacy and reliability of the process.
To make matters worse, hackers have identified that passwords are potentially the weak link in the chain. As a result, stolen usernames and passwords are regularly sold on the black market. More than 24 billion records containing usernames and passwords were stolen – an increase of 65% from 2020, according to a survey by Digital Shadows. The same survey found that, for the fourth consecutive year, unauthorised access was the leading cause of breaches — 50% of all records breached — up from 45% in 2020.
Introducing passwordless authentication
Luckily, the breadth and sophistication of cybersecurity measures has moved forward in leaps and bounds since passwords were first created. And the option to adopt a passwordless approach to authentication is now a legitimate choice.
But what exactly is passwordless authentication? Put simply, passwordless relies on something you are or something you have – rather than something you know. You’d be correct to think that there are already many low cost and easy to use authentication technologies on the market today – from software based versions of one-time password or integrated biometrics, to push notifications that are easily embedded into mobile application and QR codes. However, a true passwordless system is able to use signals and combine that with Contextual Orchestration to present the right authentication prompt to the user at the right time
So, what signals does a passwordless system analyse? At a basic level, the system assesses general signals, like location and IP address, but this alone isn’t secure enough and can be manipulated. However, you get a much clearer indication of identity when combined with device signals, such as identifying if the mobile or laptop is a known device, as well as utilising the technologies built into the device, such as a camera or fingerprint reader. Better still would be incorporating Intelligent Signals, like user preferences, choices and behaviours. Are they doing something they usually do or is this out of character? By combining all these signals we can develop a pretty good idea of what type of authentication is possible and required for the amount of risk for the given transaction.
The critical component to then realising the “Never Login Again” goal is combining these signals with Contextual Orchestration. Allowing users (or the software) to choose the most appropriate login flow for the situation at hand. That is done by being able to ingest contextual signals at every step of the user journey and then altering the path based on that information, such as:
- What type of device is it, and what authentication technologies are present?
- What has the user enrolled in, and what is the resource they are trying to access?
- What authentication level is needed to gain access to that resource?
- What are the user’s preferences when they are on that device?
And even asking the user for the method they would like to use which would satisfy all the criteria listed above. You can only provide a true passwordless experience if you can successfully combine all these inputs into a simple and seamless experience, that is also secure.
Getting started with a passwordless approach
Rollout is another part of the process which organisations need to get right. Throughout any form of rollout, it’s important not to disable any existing methods until you have collected enough data to spot any emerging issues.
As with most security measures, a one-size-fits-all approach will be unlikely to optimise an organisation’s authentication journey – instead, they need to be adaptive and responsive. As expected, every company will have different needs, different fraud appetites and different risk levels. With this in mind, it’s essential to design authentication journeys which are appropriate to your organisation and flexible enough to accommodate all your different user populations.
Lastly, it’s important to fold fraud management into the authentication experience. AI is a friend to orchestration and does some of the background work to make sure everything’s running smoothly while increasing security too.
Platform your way to passwordless
Whichever way they approach the move to a passwordless environment, putting an identity and access management (IAM) platform in place will be crucial. This software supports a variety of authentication methods and ultimately helps to move users to a better and more secure experience.
Passwords are deeply ingrained in current cybersecurity standards. As such and while passwordless authentication is here right now, mass adoption from organisations and the public will be a marathon, not a sprint.
Over ten years ago, the launch of the FIDO Alliance sparked industry-wide interest in passwordless authentication. This has picked up momentum as the FIDO Alliance companies have agreed to all adopt a single standard that allows for sharing authentication credentials across multiple devices called passkeys. This has sparked an interest in the general consumer, and they are now requesting passwordless capabilities. To make this a reality, organisations must be able to offer users choices that are accessible to them and make it easy for them to adopt. Lastly there needs to be a shift in mindset, away from such a longstanding security methodology.
Whatever happens, we can’t lose sight of the overall goal – producing a more secure and easier to access enterprise IT environment. With this in mind, it’s important we begin adopting passwordless authentication now, to drive greater customer satisfaction and safety, while allowing for further innovation to take place as the journey towards a true passwordless future is adopted around the world.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.