Despite the fact that there are other options for authentication, passwords are still the go-to method because they are easy to use no matter where the user is or what device they are using. However, passwords are soon to be phased out in favor of other forms of authentication that will make applications and systems more secure than ever. In fact, Gartner predicts that 60% of large enterprises and 90% of medium enterprises will use passwordless authentication by the year 2022.
Challenges with Passwords
Despite the fact that they have been used for decades, passwords come with inherent challenges that make them less than ideal to use. They are complicated and expensive to manage, maintaining compliance is difficult, and it can make for a poor user experience.
However, perhaps more important is the fact that password-driven authentication is too easily compromised. Passwords are easy to steal or guess, and once someone has the password to a system or an app, everything contained within that system or app is compromised. Worst of all, a bad actor with the password to a system can enjoy ongoing access without anyone being the wiser.
What About MFA?
MFA, or Multifactor Authentication, is a more secure method of authentication. It typically requires a password, a device on which to receive an SMS code, and a form of biometric security. This is being used more and more today, but it has its drawbacks—primarily the fact that requires multiple steps that can become cumbersome and frustrating for the user.
Another drawback to MFA is the fact that the device, typically a mobile device, must be charged and capable of receiving the one-time code that is sent via SMS, which then must be accurately typed or copied and pasted to verify authentication. In addition, the answers to security question, as well as passwords and one-time codes, are vulnerable to phishing.
The Alternative Is Passwordless Authentication
Moving beyond the use of passwords is necessary as the digital technology of today becomes increasingly advanced. The need for security is paramount, but this needs to be accomplished while creating a frictionless authentication system that primarily runs in the background.
One form of passwordless authentication that has increased security in recent years is FIDO2, developed by the FIDO Alliance as an open identity standard. FIDO2 uses public key cryptography that ensures authentication credentials are not stored on any server and remain on the user’s device, protecting it from phishing, replay attacks, or other forms of theft.
A combination of biometric authentication and passive signals can also be used to authenticate a user. These passive signals can be things such as noticing when a user’s web browsing, behavior, IP address, physical location or other factor is out of the ordinary. One of the biggest benefits to this method of authentication is that there is no explicit user action required, making it virtually frictionless.
The Shift to Passwordless Authentication
The switch to passwordless authentication will mean the end of usernames and passwords, something to celebrate for sure. However, this transition can seem like a daunting task and is ideally approached in a series of steps.
Enterprises can begin by determining which business needs are the most critical in terms of security and choosing initial users of the passwordless authentication, who can provide feedback early on. They can then move through a series of authentication transitions, perhaps from centralized authentication to MFA to FIDO2, and ultimately, to passwordless.
Passwordless Use Cases
Here are a few use cases that demonstrate the use of passwordless authentication:
Resource Access in the Workplace: When a user logs into the same computer or device every weekday at the same time, this establishes a pattern of behavior that is predictable. In this situation, you can forgo password authentication after establishing the worker’s typical log-in behavior by having them log in with a password for a few days.
Access to Insurance Records: When an insurance adjustor needs access to records, passwordless authentication can include biometric authentication in the form of a fingerprint or facial recognition, along with a FIDO authentication key.
Consumer Adding e-Transfer Contact: When a banking customer wants to add a new contact to their e-transfer contact list, a one-time authorization code can be sent via SMS to add an extra layer of authentication.
Connect with an expert at Icon Security today to learn more about passwordless authentication and how to improve your level of cybersecurity.
