September 23, 2021
Killing the password
In an increasingly security-conscious world, the traditional password is genuinely a weak link. It’s time to adopt passwordless authentication instead.
The use of passwords dates back to at least the time of the Roman Empire, when Roman soldiers used passwords inscribed on wooden tablets to verify that sentries were in the correct outpost at the right time.
In today’s digital age, of course, not only has the issue of security become much more complex, but the plethora of passwords most individuals are expected to remember has grown well beyond what could be inscribed on a wooden tablet.
It is thus no surprise to learn that ‘passwordless authentication’ has become the new buzzword in security when it comes to identity and access management (IAM) solutions. Passwords remain a major security weakness for consumers and those trying to protect customer and corporate data – the vast majority of breaches involve weak or stolen passwords.
This is where the passwordless authentication comes in, as it eliminates risky password management practices and reduces attack vectors, while also improving user experiences, by eliminating password fatigue. This approach means there are no passwords to memorise or security question answers to remember, making it a solution that talks directly to the need to maximise security while minimising user friction.
Passwordless authentication can be a combination of various factors that traditionally fall under the classification ‘multi-factor authentication’ (MFA) – since the passwordless approach includes any mechanism to authenticate an identity that does not make use of a password. In other words, it could encompass biometrics, facial recognition technology, touch ID or even a scanned QR code.
This is part of a drive to eliminate knowledge-based authentication methods – those requiring knowledge of a password, or detail around something you know – and increase adoption of passwordless authentication instead. The FIDO (Fast IDentity Online) Alliance is focused on providing open and free authentication standards to help reduce the world’s reliance on passwords, and is thus leading the drive for the adoption of passwordless authentication with the WebAuthn standard that has been broadly adopted by the industry.
The first thing that must change is the mindset around passwords. There seems to be an attitude that if it isn’t broken, don’t fix it – but password authentication is broken. Not only is it failing as a security measure, it is also failing the user experience test.
This is why the focus is switching from MFA to passwordless authentication. It is better to kill off the concept of passwords, rather than simply add new factors to the equation to improve security. It is imperative that the password dies sooner, rather than later, as these are not only tough to manage because they can easily be forgotten, they are also less secure, as they can more easily be compromised.
A key driver of this shift is the simple fact that biometric authentication has become significantly less costly over the past few years. The barrier to entry – the price of costly fingerprint readers and facial recognition cameras – is no longer an issue when modern smartphones are capable of carrying the same technology.
Of course, FIDO recommends not only biometrics, but also using the device itself to ensure security – something that can more easily be done considering the pervasiveness of devices with these capabilities natively baked in. The idea is to add additional security into the mix without creating additional friction within the user experience.
After all, it is about striking the balance between security and ease of use. Remember that users want the simplest and easiest processes, but these must still be as secure as possible.
This has become more important than ever, with so many employees working remotely today. Without the company’s physical access and perimeter security to act as the initial line of defence, it is clear that remote workers need a new means of securely authenticating themselves.
There are many benefits to be gained from adopting passwordless authentication. Firstly, it is simply inherently more secure – taking the password out of the equation eliminates an entire major attack surface. Ease of use is also massively improved, since most users can only remember around six or seven unique passwords. Thus, helping to eliminate this type of bad password hygiene.
Furthermore, it also reduces costs within the organisation, as it reduces the internal support required for those employees who forget their passwords.
This makes the return on investment for passwordless authentication, due to the amount of risk eliminated, massive and ensures choosing such a solution is a ‘no-brainer’. This is helped further by the maturing of open standards, which has created an environment where there is a low cost of entry, fewer integration challenges, greater ease of implementation and, of course, significantly reduced risk.
It is vital that organisations considering such an undertaking talk to the experts to help them get over the line. Remember that it is about much more than a technology implementation – you must ensure you bring your people along on the journey, via effective change management, so that they clearly understand what it is about, why it’s being done and how to make it happen.
Ultimately, it boils down to the age-old principle of ‘people, processes and technology’ – adopting a passwordless authentication approach to security requires all three to be looked after, as a failure in any of these three areas will seriously hinder your security approach. Success, however, will help to drive adoption and ensure both employees and the business itself benefits.