Identity And Access Management
April 19, 2022
7 minutes
Contributed by David Konstant, Associate Cybersecurity Engineer, DOT Security
Hackers love passwords. This may sound like a bold statement, but it’s true. Some passwords are more loved than others. Short passwords, ones with common and easy to guess words, and ones that lack complexity are favorites.
But even great passwords can be leveraged by hackers if they are disclosed because of a data breach or a social engineering campaign like a phishing attack.
Passwords have long been the main authentication method for computers, but with emerging technologies and the proliferation of smartphones, there is a lot of buzz about the concept of passwordless authentication and its merits in cybersecurity.
Authentication is the process of determining that someone is who they say they are. This process is closely tied to identification, the process of declaring who someone is.
Traditionally in authentication and identification, a user supplies a username as their identity and a password for authentication. Passwordless authentication replaces the use of passwords with other methods to add a layer of security.
Some of these Passwordless authentications are simply an additional step like authenticating a login using a mobile device application, SMS, or e-mail that provides a one-time code or button. But some take advantage of new innovations in business technology to elevate security to another level, including:
Biometrics like facial recognition and fingerprint readers are significantly more secure than traditional passwords but are not always available on computers. However, the most popular cell phone models sold in the United States now come with some form of biometrics for authentication. Organizations with older workstations can then leverage this technology instead of having to purchase new workstations.
Biometric authentication relies on a unique characteristic of an individual, or “something you are” like facial features, fingerprints, etc.
Another common passwordless authentication technology is security keys. These devices are “something you have.” They are physical devices that need to be connected to perform authentication without the user putting in a password.
These are usually USB devices that are physically plugged in but can also use NFC or Bluetooth to connect.
One of the most compelling reasons to introduce passwordless authentication is that it decreases the burden associated with making strong passwords and can improve the user experience.
This is important because when passwords become a burden, users tend to start reusing the same passwords or find other shortcuts that lead to the types of bad passwords that hackers love.
Related: Cybersecurity Tips: Passphrases vs. Passwords
The benefits of passwordless authentication can extend to IT administration as well by decreasing the amount of time spent on password resets as this activity is one of the most common support desk tickets.
Studies have shown that password resets can account for 20-50% of all calls to support centers
Finally, passwordless authentication can be much more difficult for hackers to compromise because it’s significantly harder to get a fingerprint over the internet than it is to get a password.
Passwordless Authentication is not perfect. USB security keys are subject to theft, one-time codes sent via email and SMS can still be targeted by social engineering attacks and some fingerprint readers have been bypassed by security researchers.
While passwordless authentication has many benefits, it can also be a single point of failure, either allowing for complete compromise or frustration for users.
While passwordless authentication offers a lot of benefits, it is not for every organization. It is important to consider your organization’s state of authentication. The implementation process can be complicated when using legacy software and protocols. Companies should consider what devices users have access to and the cost to update or replace technology.
Companies that already leverage Single Sign-On for cloud applications and integrated authentication flows for on-premises equipment are better prepared for implementation and can benefit more rapidly.
Instead of ditching passwords, passwordless authentication methods should be considered by organizations as part of their Multi-Factor Authentication (MFA) procedures as many are not ready for a full passwordless deployment. For other organizations, providing a fully Passwordless with Multi-Factor authentication using biometrics with security keys might be possible.
Learn more about identity and access management solutions like passwordless authentication on our Insights Page.