Although the death of passwords has long been predicted, the shift to other forms of authentication has been extremely slow until recently.
The shift to remote work driven by the pandemic has increased interest in securing wider networks and this has put passwordless authentication in the spotlight. We spoke to Tom Bridge, Senior Product Manager at JumpCloud, to learn more about the technology and the benefits it offers.
BN: What exactly is passwordless?
TB: Passwordless access is what it says – log in or authenticate through other forms of authentication to verify who someone is before letting them access something. By replacing passwords with an alternate route, you can stop common attacks on your IT, such as credential stuffing, account password guessing, or social engineering sharing. Common ways to achieve authentication without a password include using employee devices with push authentication, smart links sent to email addresses, or a physical token. Similarly, Passwordless can use biometric authentication with a fingerprint or facial recognition to prove that someone is who they say they are at a specific time and place.
It also solves the problem of managing password policies where users have to regularly change their credentials. This can lead to more password reuse and then less secure accounts over time.
No password also covers the use of access keys, which means you can lock down authentication to a specific domain. This means that users cannot be phished, which is one of the biggest problems facing businesses, regardless of size. Apple added support for security keys, for example, helping everyone take this approach.
BN: Why should companies look into this area? How does this help them?
TB: Verizon found that 61% of breaches suffered by companies involved identifying data. Rather than software vulnerabilities or zero-day flaws in software that required enormous skill to execute, many breaches are tantamount to leaving a door open to your home. It doesn’t take much skill to take advantage of this kind of access, so bad actors will take advantage of a collected ID, much like a thief would if they stumbled upon a door with a key still in the lock.
Removing passwords and replacing them with more efficient and secure means of managing identity should help resolve many of these potential issues over time. It prevents these simple issues from tricking hackers into accessing the network or applications and trying to find other ways to steal data or implement ransomware.
BN: Why is this area getting so much hype?
TB: Many companies want to implement Zero Trust security models to improve their defenses, and effective identity management is essential if you want to move to Zero Trust. You have to prove that you are who you say you are, and then keep that level of security in place. This often means changes to the way security is implemented, and the absence of a password is a key part of that change.
Passwordless needs to be as simple to deploy and use as traditional passwords, or people won’t accept it or find a solution. Simply saying you’re going passwordless isn’t a silver bullet that will magically stop hacks from happening. Effective implementation of passwordless authentication requires execution and training to adopt.
According to a Productiv study from last year, the average number of apps a company has in place is 254. Of all those apps, only 45% will be used on a regular basis. Teams will use between 40 and 60 apps each, and remembering credentials for all those systems is just hard work. Deploying a password manager and single sign-on (SSO) can help your employees get smarter, faster access to their systems, and make things easier and more secure for them.
BN: OK, what are some practical steps people can take around this?
TB: Implementing passwordless involves three steps. First, you need to centralize your approach to authentication. Rather than relying on each application’s login process, you place everything through a single point of control. This consolidates the number of logins users need to make and the number of passwords users need to remember.
Using SSO tied to a really strong and secure identity is better than having multiple apps each with their own. Likewise, using a password manager can simplify access control to all of these applications. For enterprises, tools such as single sign-on and password managers can be centrally managed, making it easy to distribute access to users and groups, and revoke user access when you need to remove that access.
Then you can apply multi-factor authentication, so users have to prove who they say they are. However, with SSO in place, they should only have to do this once. MFA is a fantastic precursor to passwordless authentication because it always has a stored password and at the same time users get used to the verification factors typically used in passwordless authentication.
Finally, you should consider implementing a FIDO login framework and then scaling it over time. FIDO is a set of standards for secure passwordless authentication created by the FIDO Alliance, which helps you future-proof your approach. You can start your implementation with a group of users, gather feedback and address perceived issues, then roll it out to a larger number of employees. This should help you scale, but also keep things up to date.
BN: Will passwordless prevent hacks from happening?
TB: Passwordless is not a miracle solution. This will stop a lot of potential hacks, but it won’t entirely improve your overall attack surface. What it will achieve is make security easier to implement and maintain over time, it will guard against some of the easiest scripted attacks that hackers can perform, and it will prevent some of the attacks social engineering that bad actors use. You can’t give out your password when you don’t know it, and you can’t share your credentials. This approach integrates well with other security techniques such as device fingerprinting and conditional access.
The most important thing to keep in mind is that having no password is to keep things easy to use for your employees while making it harder for an attacker to gain access to a company’s network. .
image credit: reborn55/depositphotos.com
#time #passwordless #authentication