Passwordless – The Future of Authentication
Security & Usability for the Digital Transformation
Companies are going through a #digitaltransformation, or modernization, to stay competitive and meet user expectations. They are migrating from legacy systems to the cloud, resulting in hybrid environments. Customers are driving the push toward usable, mobile technology and always-on, always-available #cloud web-based applications. This move to the cloud includes both customers and all types of enterprise users—including employees, contractors, vendors, partners, and more. This shift to a decentralized identity-centric operational model has placed increased importance on ensuring secure access for users. The future of #authentication demands both a secure and usable method of authorizing users to both cloud and on-premises systems.
The Shift in Authentication to Passwordless
#Passwords were introduced in the mid-1960s by the Compatible Time-Sharing System (CTSS) at the Massachusetts Institute of Technology (MIT), according to Computer History and Wired. They were developed as an accounting tools to allow users access to their specific resources for a certain amount of time. As time went on, some users shared passwords and others demanded better security, and the emphasis shifted to authentication. In the 1980s, Security Dynamics Technologies patented a “method and apparatus for positively identifying an individual” and paved the way for additional authentication factors—like multi-factor authentication (MFA), which has matured in recent years as a secondary layer of security for primary password authentication.
The primary authentication method, via password, and the secondary authentication method, via MFA, became increasingly important as password theft and data dumps became routine. The 60-year-old single-factor password has failed to stand the test of time. In 2019, an anonymous creator released 2.2 billion usernames and passwords freely across attacker forums—the largest collection of breaches yet (Wired). Advances in secondary factors, from the proliferation of smartphones to the consumerization of biometrics, have led many to question whether a password is even necessary for strong authentication. If strong authentication is based on multiple factors, and passwords are the most vulnerable factor, why even require them? This realization has led the industry to move toward replacing passwords altogether with more secure and simplified methods of authentication.
“Passwords have multiple weaknesses that attackers can exploit. Even the best password policy cannot mitigate spyware or phishing attacks.”
The Problem with Passwords
Passwords are subject to several problems that make them an insecure factor for identity verification. Additionally, passwords cause a lot of user friction and frustration.
- The burden of managing passwords and other authentication methods is high.
They take up a lot of help desk support time each year—so much so, that many large U.S.-based organizations have allocated over $1 million annually for password-related support costs, according to Forrester. Gartner notes that “passwords remain a significant source of risk for organizations—even when incorporated with another method for MFA (multi-factor authentication) —and of friction, frustration, and fatigue for users and #administrators” in its Market Guide for User Authentication. A single organization spent $30 per employee case on expired password cases alone, totaling over $500,000 in support costs and lost productivity every year.
- Poor user experiences caused by passwords can cause extreme frustration.
A survey of 200 IT security leaders conducted by International Data Group (IDG), sponsored by MobileIron, found that 62 percent of respondents reported extreme user frustration at password lockouts. This isn’t surprising – lockouts pause productivity and contributes to poor user login experiences. In addition to password lockouts, the number of cloud services used by enterprises today has increased dramatically over time; today, the average enterprise uses 1,400 different cloud services, while the average business user must log in with as many as 190 passwords, according to Sky-high #Networks and Security Magazine.
- Passwords are easily compromised
It can be subverted by #attackers, who use them as part of a larger attack. A few examples include credential stuffing (large-scale, automated login attempts using stolen credentials); phishing (an attempt to deceive users and illegally acquire sensitive information, like passwords); brute-force attacks (password guessing); etc. Weak passwords are easy for adversaries to crack or guess. Due to password fatigue, users often choose weak passwords or reuse old passwords for different accounts. As a result, over 80 percent of breaches involving web applications are attributed to the use of stolen #credentials, while 50 percent of all breaches involved stolen credentials, according to Verizon’s 2022 Data Breach Investigations Report.
What is Passwordless Authentication?
#passwordlessauthentication establishes a strong assurance of a user’s identity without relying on passwords, allowing users to authenticate using biometrics, security keys, or a mobile device. This eliminates the need for users to remember passwords, allowing for a frictionless login experience while reducing administrative burdens and overall security risks for the enterprise.
Business Benefits of Passwordless
Passwordless authentication provides a single, strong #assurance of users’ identities in order to achieve user trust. As a result, enterprises can realize the following benefits:
- Eliminating #reliance on passwords can make the user experience better by reducing login fatigue and frustration, as well as increasing #productivity.
- Reducing the time and costs associated with password-related help desk tickets and password resets can reduce burdens on administrators and enterprises.
- Eliminating system reliance on passwords can result in the elimination of related threats and #vulnerabilities, including #phishing, stolen or weak passwords, password reuse, and #bruteforce attacks.
THE CHALLENGE: A Nascent Market
Today, many vendors offer passwordless authentication solutions that are tailored to specific use cases, such as eliminating passwords required for #SSO. However, these piecemeal approaches offer limited benefits and do not solve the inherent security weaknesses of passwords. Modern enterprises require a comprehensive passwordless solution that covers every authentication flow and assesses the posture of devices accessing without a password. Such a solution must also address business challenges, including:
- For most enterprises, the cloud is just one part of a complete digital transformation #strategy. A modern IT infrastructure must be able to handle both legacy and cloud applications as well as provide a consistent user experience across all platforms. Cloud federation enables passwordless authentication for cloud applications; however, most enterprises need to protect access to a hybrid mix of cloud and on-premises applications.
- Administrative and management costs associated with supporting passwordless technology may be cost-prohibitive. The cost of #securitykeys, biometric-based authentication, and device management can be a barrier to entry for different types of users across an enterprise.
- Organizations that are required to comply with data-regulation standards often tie their policies to passwords, making it difficult to shift to stronger authentication methods. The latest guidance on passwords from the National Institute of Standards and Technology (#NIST 800-63) calls for phishing-resistant authentication methods but drops password expiration and complexity requirements.
THE SOLUTION: Path to Passwordless
- Identify #passwordless use cases and enable #strongauthentication. Reduce your reliance on passwords and lower the risk of credential theft by identifying and selecting specific enterprise use cases. Rank the use cases by user experience, IT time and costs, and security and #compliancerisks. Group the use cases by applicable passwordless solutions to not end up with a series of point solutions. Create #implementation plans for areas that have the biggest impact with the shortest time to value.
- Rationalize #authentication for a set of use cases as part of the implementation plan. This enables you to reduce the number of passwords users must remember by using SSO for SAML-based applications. For on-premises services, integrate authentication workflows by using access proxies and authentication proxies. You can also change password policies to make them less complex by lowering user frustration and reducing your reliance on password complexity as your primary authentication method.
- Meeting the demand for passwordless authentication often requires a shift in security posture. When you implement passwordless authentication, the context of each access request is critical. This includes such factors as the identity of the user, their device and its security posture, their location and behavior, and more. By applying adaptive policies that factor in all these elements, you can ensure that each access request requires appropriate authentication for that situation.
- Provide a passwordless experience. If multi-factor authentication (#MFA) is implemented as one or more authentication factors, passwordless is best described as two or more authentication factors without passwords. People can log in using a biometric authenticator and possession of a #trusteddevice (for example, one that can be used to access applications). This would be something they have and something they are, instead of relying on something they know (a password). In this step of the journey, consider implementing standard technology to remove passwords as the primary authentication factor for use cases and areas with the biggest impact on user experience, cost, and security. For example, consider using passwordless authentication to securely log on to your single sign-on solution. In this way, all of the applications federated through the SSO solution are protected by passwordless authentication. There are several options for passwordless authentication: leveraging hardware with built-in biometrics, investing in security keys that support the #FIDO2 standard, or using a mobile application. WebAuthn is an open standard that enables strong public key cryptography to ensure user presence at the point of authentication, and it requires a supported web browser, operating system, and built-in #authenticators such as Touch ID.
- To achieve passwordless authentication for all use cases, including legacy tools using older protocols as well as cloud-based #applications, an iterative approach should be taken to selecting, streamlining, and securing authentication. The final step in the journey is integrating the technology and moving towards continuous improvement. Passwordless will eventually eliminate your need to rely on passwords for any login workflow, either behind the scenes or throughout your users’ experiences. This is the challenge in the market today that passwordless-pioneering technology platform providers need to solve.