Moving Towards a Password-less world with Strong Authentication

Posted April 27, 2021

Can you imagine a world without passwords? Within enterprise IT, password support is one of the primary drivers of help desk cost. Implementing strong password requirements drives these costs up and doesn’t necessarily improve security. The simplicity of authenticating identity via passwords can actually create less secure infrastructure. According to Verizon’s Data Breach Investigation Report, 81% of hacking-related breaches used either stolen or weak passwords. Microsoft Security Research tells us implementing multi-factor authentication (MFA) can reduce your odds of being compromised by up to 99.9% but too often one of the authentication factors in MFA is still an inherently insecure password.

Authentication within our evolving IT security landscape continues to be a challenge. User authentication is required to distinguish between actual account owners and bad actors but at the same time must meet ease-of-use and simplicity goals in order to not hinder productivity. The trouble with passwords is that secure passwords are difficult for the human mind to remember and passwords that are easy for us to recall are also easily guessed by attackers.

Using biometrics within an MFA implementation tends to offer a more friction-free authentication experience while also proving very difficult to exploit. Unique personal traits such as fingerprints, iris scans, facial recognition, and even heartbeats are proving to be more accessible and easier to use as technology continues to evolve. Swiping a finger, speaking a phrase, or simply letting a facial recognition camera do its work creates a far better user experience than requiring a password.

Fortunately, these advancements are allowing IT security to move towards a password-less environment. Advanced identification techniques such as public/private key cryptography, biometrics, and PIN are slowly replacing the minimally secure passwords to which we’ve become accustomed. Cross-platform implementations such as Web Authentication API (WebAuthN) and Fast Identity Online (FIDO2) are helping to push towards a password-less existence. Active identity provider (idP) sessions are also enabling users to seamlessly authenticate across cloud-hosted applications.

These password replacement options are helping organizations provide convenience and ease of use for users while also reducing security risks. The integration of biometrics into our mobile devices could likely be one of the greatest accelerators towards a password-less and more secure world. Biometric signatures offer a significant advantage over passwords because they are secured locally on the device and not shared across the network. A common misconception with biometric access is that it can easily be spoofed but that is not the case. Since the biometric data is used only to unlock your device, an attacker would need to have your fingerprint, iris, or facial features along with your device in order to authenticate. You won’t see a data breach where millions of biometric profiles are stolen, as you commonly see with passwords because there is no single collection point an attacker can compromise. The biometric data is an initial factor that unlocks a private cryptographic key which acts as a second, more secure factor. The cryptographic key then authenticates a user to a service. Today, biometric systems are even building in liveness detection to verify the fingerprint or face being scanned is on a living person.

If you’d like to learn more about how you can begin the migration towards passwordless technologies, contact us to see what’s possible.

Scott Anderson

Scott Anderson is Partner / CTO of Verus Corp. He works with mid- and large-sized companies to ensure that all of their managed IT service needs are met to their highest standards. Scott knows that giving customers exactly what they need requires flexibility and patience. He works with each department to carry out documentation and the processes of providing managed IT services. Every position that Scott has held has been largely focused on customer service. This expertise and experience means that you’ll be getting a holistic and customer-centered experience from Verus Corp, from installation to troubleshooting. Scott has provided services that have helped Verus Corp be named a Cisco Select Partner and WatchGuard Partner of the Year. Most recently, Verus Corp was named the second best place to work by the Minneapolis/St. Paul Business Journal. Scott has a Bachelor’s in Speech from St. Cloud State University.