The password has been one of the great inventions in the history of computing: a solution that allowed simple and effective identity and access management when the need arose for it.
Unfortunately, as time passed, the downsides of using (just) passwords became apparent: they can be forgotten, guessed, cracked, stolen and, finally, misused.
While we wait for the password to die…
During the last decade or so, many IT and IT security professionals have foretold the death of the password, but that prophecy has yet to be fulfilled. Despite the many security drawbacks, the password continues to be an inexpensive authentication solution that works and is convenient in many scenarios.
But it’s not the only authentication solution out there and, slowly but surely, the industry is taking steps toward a future without passwords.
“The transition to truly passwordless authentication is going to be a journey,” says Jim Ducharme, VP of Identity Products, RSA Security, and points out that, for the moment, all passwordless authentication is rooted and reliant on a password and username.
“While passwordless authentication is quite common on many devices (e.g., Touch ID and Face ID) accounts are still established with a password and if your device is lost or stolen, the account is recovered using a password,” he notes.
To achieve a passwordless world, we need to solve the passwordless credential enrollment and account recovery puzzle, and to find a way for users to securely authenticate on devices that don’t support biometrics and FIDO capabilities.
There’s no one bulletproof solution
One of the things that are pushing enterprises to search for a suitable passwordless option is new data privacy regulation.
“Organizations are realizing that stolen identity is the number one security issue, and often the weakest link in security postures. With more at stake, including financial damages in the form of breach-related expenses, regulatory fines and the potentially irreparable loss of customer trust, we have already seen organizations start to adopt innovative and secure solutions to authenticate users seeking access to critical resources,” he shared with Help Net Security.
“Passwordless authentication reduces friction for the end user, eliminating complex, hard to remember passwords with another kind of credential like a hardware token, phone or biometric modality. Ultimately, it helps organizations better manage identity risks and protect what matters most.”
But, he pointed out, no authentication solution is unhackable. And, while passwordless authentication can be more secure than the traditional password, like all forms of authentication it works best as one of several means of proving someone is who they claim to be.
“Authentication solutions should always be coupled with additional security layers to manage digital risk and a higher level of identity assurance,” he advised.
Finally, it’s also important to remember that a one-size fits all approach doesn’t work for the varying identity and access managements needs across organizations and dynamic workforces.
“As organizations continue to embrace digital transformation initiatives and consider regulations, they must also continue to assess authentication needs and not place the burden of bulletproof security on one authentication solution,” he warned.
Should you implement passwordless authentication across your large enterprise?
Before moving in that direction, CISOs must first pinpoint the organization’s critical data and assets and think about how to best protect them.
“They must think through the entire credential lifecycle,” Ducharme explained.
- Identity proofing (How do users obtain the passwordless credential? And what happens if they lose it?)
- What are the costs associated with supporting passwordless authentication?
- How does the new authentication method integrate with the enterprise’s spectrum of applications? Including on-prem, infrastructure (Linux machines / network equipment), desktop, cloud and SaaS.
- Does the state of the organization’s infrastructure support the technology and standards required to truly go passwordless?
CISOs must look across the enterprise and consider the three dimensions of authentication (identity assurance, access assurance and activity assurance) and evaluate whether all can be achieved with passwordless authentication.
“Identities are scattered everywhere, CISOs need a strategy that secures multiple points of access. Additionally, CISOs must keep the dynamic of the workforce and end users in mind – shifting the burden of secure authentication off users, reducing friction on the front end, and putting security control on the back end, where it belongs,” he noted.
“To truly detect and manage identity risks, CISOs need to consider a risk-based authentication solution that is able to analyze user access, device, applications and behavior to provide businesses with the confidence that users are who they say they are based on previous history.”
Finally, Ducharme warned that (front-end) passwordless authentication without the actual elimination of the underlying passwords (back-end) is not going to bring the savings associated with the reduction of password management, nor the security threats associated with passwords.
“As we look at the cost of passwordless authentication, many people have a false sense that these new methods are much cheaper to implement because we are seeing password-less authentication experiences delivered for free in devices,” he said.
“However, there are still costs associated with organizations supporting these new devices, supporting the users leveraging these new features, as well as complexities associated BYOD environments.”