In today’s increasingly digital world, we depend on passwords to keep us secure while conducting business online or accessing the organization’s critical applications while working remotely.
According to Verizon’s Data Breach Investigations Report:
- 67 percent of application attacks result from compromised passwords
- 82 percent of data breaches involve stolen credentials and phishing
Based on these findings, it is obvious that it is relatively easy to compromise or steal passwords, making them the weakest link in security. Mitigating this risk is critical for security teams.
Why are passwords so easy to compromise or steal?
Passwords are shared secrets, so both users and organizations are responsible for keeping them secure. Organizations expect users to create difficult-to-guess passwords, change passwords on a regular basis, and adhere to a complex password recovery process to keep passwords secure. Due to frustration and password fatigue, users often use weak passwords or, worse, use the same complex password across multiple work applications and even personal accounts since they don’t want to remember multiple passwords. This offers the attacker an opportunity to steal passwords.
Organizations implemented multifactor authentication (MFA) to mitigate the risk of passwords being a single point of failure, but for users, it means additional friction. Attackers found ways to bypass MFA with prompt bombing, SIM swap, etc.
Passwordless authentication – a world without passwords
Passwordless authentication simply means eliminating passwords. FIDO Alliance introduced FIDO2, a universally accepted authentication protocol offering frictionless, phishing-resistant, passwordless authentication.
FIDO2 allows users to authenticate a web, SaaS, or mobile application using native device biometrics or PIN from their laptop, desktop or mobile phone. The user can access any application with a simple swipe on the fingerprint reader, a face nod to the camera or by entering a static PIN on their device.
FIDO2 passwordless authentication is MFA by default and phishing resistant since the attacker needs physical access to the device and also access to the user’s PIN or biometrics. FIDO2 uses cryptographic keys (public and private) where the private key and the user’s biometric data do not leave the user’s device, thereby protecting the user’s privacy. It also prevents user activity tracking across services since a unique set of credentials is generated for each service.
FIDO2 supports USB keys and smart cards, including mobile phones as external authenticators that can be connected over USB, NFC or BLE and used to authenticate the user both for primary and secondary authentication.
FIDO2 is fast gaining acceptance and has been adopted by leading multinational technology companies and implemented on their platforms as an alternative to passwords for their users.
So, what does passwordless authentication mean for the industry?
- For the workforce, it will help reduce friction and enable remote work. It will reduce the time spent on password resets and helpdesk costs associated, helping to improve productivity and operational efficiency.
- For customers, a frictionless experience to access the service from multiple devices will help improve customer satisfaction and offer better security and privacy.
- When extended to vendors/ partners, it will help reduce the operational costs related to password management and resets for the applications accessed by them.
What should organizations consider when embarking on a passwordless journey?
Moving to passwordless authentication will not be just a technology change, it will require a mindset shift for all stakeholder teams—users, security, business and technology teams. Organizations should consider the following while developing their passwordless adoption strategy:
- Define clear and measurable goals (e.g., improved user experience, reduced helpdesk cost, enabling remote work, etc.).
- Adopt a phased approach and start with applications that have a maximum business impact and select the user demographics who will benefit from the passwordless adoption.
- Leverage access management platforms or specialist vendors supporting FIDO2 since they enhance their product as the protocols and technology evolve.
- Understand that moving to passwordless authentication is a behavior change. Start with enabling passwordless as an MFA or for desktop login. Keep legacy options of passwords available and phase out as adoption grows and matures.
- End user acceptance and adoption of passwordless authentication will determine the success, underscoring the need for user awareness and proper training with open feedback channels.
- Based on application business criticality and data confidentiality, determine if additional MFA is required to be supported using FIDO2 external authenticators.
- Define processes for scenarios like device change or malfunction to minimize security risk exposure.
- Evaluate support of FIDO protocol across enterprise platforms, browsers and applications to plan the roadmap and costs of going passwordless.
- Build metrics to measure success and implement feedback channels to take corrective actions.
Passwordless authentication enables improved security, reduced risks associated with credential theft and phishing, and improved overall user experience by eliminating shared secrets and reducing the need for additional MFA. Companies should start evaluating passwordless authentication and plan how to bring the benefits of a password-free world to their users and operations.
To learn more about passwordless authentication, read this article from Deloitte.