Moving Towards a Password-less world with Strong Authentication
Can you imagine a world without passwords? Within enterprise IT, password support is one of the primary drivers of help desk cost. Implementing strong password requirements drives these costs up and doesn’t necessarily improve security. The simplicity of authenticating identity via passwords can actually create less secure infrastructure. According to Verizon’s Data Breach Investigation Report, 81% of hacking-related breaches used either stolen or weak passwords. Microsoft Security Research tells us implementing multi-factor authentication (MFA) can reduce your odds of being compromised by up to 99.9% but too often one of the authentication factors in MFA is still an inherently insecure password.
Authentication within our evolving IT security landscape continues to be a challenge. User authentication is required to distinguish between actual account owners and bad actors but at the same time must meet ease-of-use and simplicity goals in order to not hinder productivity. The trouble with passwords is that secure passwords are difficult for the human mind to remember and passwords that are easy for us to recall are also easily guessed by attackers.
Using biometrics within an MFA implementation tends to offer a more friction-free authentication experience while also proving very difficult to exploit. Unique personal traits such as fingerprints, iris scans, facial recognition, and even heartbeats are proving to be more accessible and easier to use as technology continues to evolve. Swiping a finger, speaking a phrase, or simply letting a facial recognition camera do its work creates a far better user experience than requiring a password.
Fortunately, these advancements are allowing IT security to move towards a password-less environment. Advanced identification techniques such as public/private key cryptography, biometrics, and PIN are slowly replacing the minimally secure passwords to which we’ve become accustomed. Cross-platform implementations such as Web Authentication API (WebAuthN) and Fast Identity Online (FIDO2) are helping to push towards a password-less existence. Active identity provider (idP) sessions are also enabling users to seamlessly authenticate across cloud-hosted applications.
These password replacement options are helping organizations provide convenience and ease of use for users while also reducing security risks. The integration of biometrics into our mobile devices could likely be one of the greatest accelerators towards a password-less and more secure world. Biometric signatures offer a significant advantage over passwords because they are secured locally on the device and not shared across the network. A common misconception with biometric access is that it can easily be spoofed but that is not the case. Since the biometric data is used only to unlock your device, an attacker would need to have your fingerprint, iris, or facial features along with your device in order to authenticate. You won’t see a data breach where millions of biometric profiles are stolen, as you commonly see with passwords because there is no single collection point an attacker can compromise. The biometric data is an initial factor that unlocks a private cryptographic key which acts as a second, more secure factor. The cryptographic key then authenticates a user to a service. Today, biometric systems are even building in liveness detection to verify the fingerprint or face being scanned is on a living person.
If you’d like to learn more about how you can begin the migration towards passwordless technologies, contact us to see what’s possible.