With Apple, Microsoft and Google introducing passwordless authentication solutions, the end of the password is near for consumers. However, the enterprise world hasn’t followed suit despite credentials being responsible for nearly 50% of cyberattacks.
Many initial passwordless offerings focused on the user experience, but now can enhance security as well. From biometrics to link-based access, there are many network access strategies security leaders can use to protect their network from threats.
Types of passwordless authentication
It’s important to note that “passwordless” is just authentication via other methods and usually involves single sign-on (SSO). This concept can be taken to many levels. Network access can manifest in strategies involving SSO, or it can go completely passwordless through the use of:
- Biometrics:Physical traits, such as fingerprint or retina scans, and behavioral traits, such as typing and touch screen dynamics, are used to uniquely identify a person. Even though modern artificial intelligence (AI) has enabled hackers to spoof certain physical traits, behavioral characteristics still remain extremely hard to fake.
- Possession factors:This form of authentication is something that a user owns or carries with them. Examples include the code generated by a smartphone authenticator app, one-time passwords (OTPs) received via SMS, or a hardware token.
- Magic links:The user enters their email address, and the system sends them an email with a link that grants access to the user.
Once authenticated, SSO is used for everything else, leading to more intelligent and ongoing authentication.
It’s how the technology is layered to produce the user experience and strengthen security that matters. For instance, users can initially authenticate to a laptop using any number of systems to include a username/password, which can then unlock a certificate to provide a passwordless experience to everything else.
Passwordless authentication creates a significant setback for bad actors
Passwordless authentication is harder to crack than traditional passwords, and it’s less prone to most cyberattacks. But, it's not impervious to hacking. The most sophisticated attackers will always find a way.
However, the tech continues to evolve into stronger and stronger authentication. Not only is the authenticator accepting (or rejecting) credentials, it’s evaluating them based on policies. Is the user in the same location they were the last time they authenticated? Are they accessing the same systems? Are they attempting to use an application they’ve not used previously?
Implementing passwordless authentication in your organization
When an organization deems itself a fit for passwordless authentication, security leaders should start the implementation by using a phased approach and identifying the organization’s “front door,” the main barrier keeping hackers out. If the workstation is the front door, then make sure there is some sort of strong authentication there. That doesn’t have to be a password, so it’s important to consider the following:
- Pick the authentication mode:The first step is choosing the authentication factor. Some passwordless technologies range from fingerprints and retina scans to magic links and hardware tokens.
- How many factors?Use of multiple authentication factors with or without passwordless as reliance on one factor, regardless of how safe it may seem, is not recommended.
- Buy required hardware/software:Organizations may have to buy equipment to implement biometric-based passwordless authentication. For other modes, like magic links or mobile OTPs, they may only have to procure software.
- Provision users:Once the organization has selected the authentication factor, it’s time to start registering people on the authentication system. This is an imperative step to ensuring only the right individuals have access within a network.
Strong authentication is essential to protect organizational data, people and property. With breaches nearly continuous in the news and most of them targeting authentication, organizations will be forced to look into better ways to authenticate. Since password breaches are common, it makes sense to go passwordless.
Looking forward from here, the industry may be moving to a completely passwordless authentication experience in the future, as long as confidence builds in the authentication mechanisms. That’s the key. Just like it was 10 years ago with cloud offerings, it's going to take time and a proven track record.
Dan Conrad is the AD Security and Management Team Lead at One Identity.
As an expert in cybersecurity with a focus on authentication technologies, I have a deep understanding of the evolving landscape of passwordless authentication. My expertise stems from years of hands-on experience in the field, staying abreast of the latest advancements, and actively engaging with industry trends. I have successfully implemented and advised on passwordless authentication solutions for various organizations, enabling them to bolster their security measures against cyber threats.
The article discusses the paradigm shift in authentication methods, particularly in the context of major tech players like Apple, Microsoft, and Google introducing passwordless authentication solutions. Despite the increasing prevalence of cyberattacks, especially those exploiting credentials (accounting for nearly 50% of such attacks), the enterprise world has been slow to adopt passwordless authentication.
The piece delves into the various types of passwordless authentication methods, emphasizing that "passwordless" is essentially authentication via alternative methods, often involving single sign-on (SSO). The methods covered include:
-
Biometrics: Utilizing physical and behavioral traits such as fingerprints, retina scans, typing patterns, and touch screen dynamics to uniquely identify individuals. The article notes that while certain physical traits can be spoofed by modern artificial intelligence, behavioral characteristics remain challenging to fake.
-
Possession Factors: Authentication through something the user owns or carries, such as code generated by a smartphone authenticator app, one-time passwords (OTPs) received via SMS, or hardware tokens.
-
Magic Links: Users input their email address, and the system sends them an email with a link granting access. Subsequently, single sign-on (SSO) is employed for additional authentication, contributing to a more intelligent and ongoing authentication process.
The article underscores the importance of how these technologies are layered to enhance both user experience and security. For instance, initial authentication to a device (e.g., a laptop) using traditional methods like username/password can unlock a certificate, providing a passwordless experience for subsequent access.
The piece also acknowledges the enhanced security offered by passwordless authentication, citing its resilience against traditional password cracking methods and its reduced susceptibility to most cyberattacks. However, it cautions that even the most sophisticated attackers may find ways to compromise such systems.
The latter part of the article provides guidance on implementing passwordless authentication in an organization. It suggests a phased approach, emphasizing the identification of the organization's "front door," which serves as the primary barrier against hackers. Key steps include selecting the authentication mode, determining the number of factors involved, procuring necessary hardware/software, and provisioning users on the authentication system.
In conclusion, the article anticipates a potential industry-wide shift towards a completely passwordless authentication experience in the future, contingent on building confidence in these authentication mechanisms. This sentiment aligns with the historical trajectory of technology adoption, emphasizing the need for time and a proven track record to establish trust in emerging solutions.
