How to become a passwordless organization

In this interview with Help Net Security, Den Jones, CSO at Banyan Security, explains the benefits of implementing passwordless authentication and the process every organization has to go through when deploying such technology.

Organizations have been dealing with password issues for quite a while now. Do you think passwords are on the right path of becoming obsolete?

Password use is certain to decline. It will be interesting to see how rapidly this happens. Passwords are used at various levels, from operating systems, to applications, as well as infrastructure. It’s likely we’ll see a faster decline of password use with operating systems and applications compared to infrastructure. This is especially the case with legacy infrastructure. What’s important for the average end user is that we reduce the need for passwords in their daily life. Directly improving their experience will yield more benefits to the organization than that of system administrators.

How is passwordless the solution to this issue and can we say its implementation is gaining momentum?

Passwordless will help us improve security as well as the user’s experience. From a security perspective, not entering a password means it’s harder for a bad actor to steal credentials as it’s not resident in memory, nor is it written down on a yellow sticky note. Obviously from experience we all know how much we hate entering passwords, so removing that step is great and speeds up the authentication process.

What are the main benefits of passwordless authentication and how can they affect businesses?

Passwordless authentication positively affects at least three areas of a given organization: Security, IT, and end users.

Security likes passwordless as it reduces the attack surface area. Lost and stolen credentials are suddenly no longer an issue, greatly reducing the potential of an attack. No longer is security in the position of having to worry about the users following the rules around password complexity, length, and turnover rate. Of course, how you achieve passwordless matters. You want to do it leveraging certificates that are unique for each device that a user has. In that way, you can ensure a high level of security while actually improving the user experience. How often does that happen?

Some of the most frequent help desk ticket submissions deal with passwords. Lost passwords, difficult changing passwords, access issues, etc. These types of issues make up an astounding percentage of total ticket volume, taking IT away from its core mission of improving productivity.

End users waste a ton of time on password issues. By definition, while they are resolving any given issue, they are no longer doing their job as it pertains to the system in question.

What about privacy and security? Can passwordless really be trusted?

From a security perspective, a certificate-based passwordless implementation is far more secure than using standard credentials. You effectively have device identity with the certificate as well, inextricably linking the user and device. If you have mobile device management (MDM) or unified endpoint management (UEM), even better, and for those devices you don’t control or manage, you now have confidence in the device security posture. You no longer risk credential loss or theft, and you eliminate the help desk ticket volume associated with passwords.

From a privacy perspective, data is more secure and as more applications support passwordless technology, it will be harder to access people’s accounts and thus personal data. Accessing someone’s profile in one account can possibly lead to knowing details that enable access to other accounts, such as secret questions and answers used in a password reset workflow, for example.

What are the steps organizations should make to implement passwordless technology?

It goes without saying that the first and most important step is enabling multi-factor authentication (MFA). After that I would say there’s three things to consider.

First, deploying a platform that supports certificate-based authentication, securely storing and managing certificates that are tied to the user and specific device. Second, create a security intelligence capability, which uses the authentication log data to look for anomalous/malicious events. This in turn can identify potential account compromise with a workflow to enable the user to confirm if the event was them or not. Third and final, while not strictly required, if we ease up on user verification, then stepping up to include device posture is a great way to satisfy auditors and improve your defense in depth.

Is the future really passwordless or are we going to still need to deal with traditional passwords every now and then?

I would suggest we’ll still have passwords around for a while to come; however, over time we’ll use them less. We’ll still have them in the background and they will likely be used as a fall back method.

It’s not all or nothing, as you can reduce the use of passwords based on specific applications or groups of users. Some systems are likely to continue using passwords, but you should absolutely be using MFA in conjunction with those.