Ultimately all businesses need a way to securely connect their users – employees, partners, contractors, customers – to the right applications at the right time. In a constant effort to stay ahead of attackers, identity and access management (IAM) solutions are constantly evolving (and quickly). Since the 1960's passwords have been the default method for authentication, growing to methods like one-time passwords (OTP), two-factor authentication (2FA) and multi-factor authentication (MFA).

So, are passwords dead? The short answer is no, but as the industry rapidly changes, there has been pressure to move away from passwords. Password-based authentication has become subject to a love/hate relationship across end users and IT/Security professionals alike.  

While passwords may provide a level of security, employee and customer credentials are an attacker's entry point of choice. With compromised credentials being one of the most common causes of a malicious breach year in and year out alongside misconfigured clouds. From a user experience standpoint, IT support and security teams within SMBs spend 4 hours per week on password management-related issues, which is no surprise given the increased password complexity and rotation requirements. The amount of effort to manage passwords only rises with the scale of the company and their client base and let’s not forget ‘infrequent customers’, those that may only need to login once per year! It is estimated that consumers have up to 90 online accounts. 

So, where is the next progression of authentication headed? Passwordless authentication. Passwordless authentication is quickly becoming the most secure and reliable way of authenticating users, weaving together all three categories of authentication – something you know, something you have, and something you are.

How does passwordless authentication work?

Passwordless authentication is a type of MFA that uses biometrics, security keys and (sometimes) specialised mobile applications for verification. Fortunately, passwordless authentication is becoming a feasible reality, with the quality of biometric sensors built into modern hardware improving drastically.

Using the same principles as digital certificates, passwordless authentication relies on FIDO2 cryptographic keys – a private and a public key. A user wishing to create a secure account uses a tool or service, to generate a public-private key pair. The private key is stored on the user's local device and is tied to a biometric authentication factor, such as a fingerprint or face. Once accessed with the biometric gesture, the public key is provided.

A modern IAM solution like passwordless authentication using biometrics solves both security and user experience issues while reducing IT time and costs. Employees and customers can seamlessly access their accounts, with maximum security, while sparing their IT departments with a flood of password management-related requests.

Modern web protocols like FIDO2 and WebAuthn unravel the security issues of traditional authentication – essentially, there is nothing for hackers to steal or manipulate. Although they are both called keys, the public key can be thought of as the padlock and the private key that unlocks that padlock. If the hacker gets to the public key, it's useless without the private key that remains safely in the end user's hands.

Implementing a passwordless strategy can also elevate the customer’s identity experience, according to Transmit Security’s The Impact of Passwords on Your Business report, 55% of consumers have stopped using a website because of the login process. Furthermore, one-third of online transactions are abandoned at checkout due to forgotten passwords. We were the first partner with Transmit Security in APAC, which offer a customer-focused passwordless solution that works omnichannel and without any app being required by the user!

The road to passwordless authentication

Identity is becoming the new perimeter, and companies are adopting a zero-trust security approach to secure it. Under the zero-trust model, companies put access controls around users and their devices to ensure the trust is verified at each access attempt.

Passwordless authentication can be a crucial part of verifying user trust in a more secure, user-friendly, simplified way. Achieving a completely passwordless environment is not an easy and overnight task, and it's also not a cure-all, silver bullet. When implemented correctly, the passwordless approach will complement, not replace, existing security controls in a business.

Contact one of our IAM specialists if you'd like to take a step closer to a fully passwordless future.

 

If you liked this article, you may also like:

Privileged access in the new world

Red Teaming and the origins of anonymous hacking

What do you do after a data breach

Author

Aaron Bailey

Chief Information Security Officer