Identity And Access Management
June 15, 2023
Contributed by David Konstant, Associate Cybersecurity Engineer, DOT Security
Hackers love passwords. This may sound like a bold statement, but it’s true. Some passwords are more loved than others. Short passwords, ones with common and easy to guess words, and ones that lack complexity are favorites.
But even great passwords or passphrases can be leveraged by hackers if they are disclosed because of a data breach or a social engineering campaign like a phishing attack.
Passwords have long been the main authentication method for computers, but with emerging technologies and the proliferation of smartphones, there is a lot of buzz about the concept of passwordless authentication and its merits in cybersecurity. Let’s explore what that means, and how you can implement it into your own strategy.
To learn more about the most up-to-date cybersecurity practices for your organization, read our e-book, The State of Cybersecurity for Small Businesses.
Passwordless authentication replaces the use of passwords with other authentication methods to add an additional layer of security. Authentication is the process of determining that someone is who they say they are. This process is closely tied to identification, the process of declaring who someone is.
Traditionally in authentication and identification, a user supplies a username as their identity and a password for authentication.
Passwordless authentication solutions aim to eliminate the vulnerabilities around managing passwords completely.
Passwordless authentication works by replacing the traditional authentication method to which digital users are accustomed, the password. Instead, it makes use of non-reproduceable assets.
For example, biometrics are a common way modern tech is approaching security. Using someone’s thumbprint or facial recognition as the authenticator means malicious users can’t steal credentials over the internet.
The theory behind adopting a passwordless culture is that it limits how many vulnerable points of access malicious users have to attack. By limiting the attack surface area, you can greatly reduce the risk of a successful attack. Although certain passwordless systems create a single point of failure which is discussed in further detail later on.
Below are a few more examples of passwordless authentication practices to consider implementing in your organization.
There are a wide variety of passwordless authentication solutions to consider. Understanding the differences between these solutions will help you determine if integrating a passwordless system makes sense for your security needs.
Some of these passwordless authentications are simply an additional step like authenticating a login using a mobile device application, SMS, or e-mail that provides a one-time code or button. This is similar to having a multi-factor authentication (MFA) policy in place.
But some take advantage of new innovations in business technology to elevate security to another level making use of something you have or something you are. Something you have refers to a physical key of sorts, oftentimes a USB. Something you are, on the other hand, is something unique to you as an individual.
A couple of these passwordless authentication technologies include:
Biometrics like facial recognition and fingerprint readers are significantly more secure than traditional passwords but are not always available on computers. However, the most popular cell phone models sold in the United States now come with some form of biometrics for authentication. Organizations with older workstations can then leverage this technology instead of having to purchase new workstations.
Biometric authentication relies on a unique characteristic of an individual, or “something you are” like facial features, fingerprints, etc.
Another common passwordless authentication technology is security keys. These devices are “something you have.” They are physical devices that need to be connected to perform authentication without the user putting in a password.
These are usually USB devices that are physically plugged in but can also use NFC or Bluetooth to connect.
Now that we’ve looked at how passwordless authentication works, we can delve into the various benefits that stem from committing to a passwordless culture.
One of the most compelling reasons to introduce passwordless authentication is that it decreases the burden associated with making strong passwords and can improve the user experience.
This is important because when passwords become a burden, users tend to start reusing the same passwords or find other shortcuts that lead to the types of bad passwords that hackers love.
The benefits of passwordless authentication can extend to IT administration as well by decreasing the amount of time spent on password resets as this activity is one of the most common support desk tickets.
Studies have shown that password resets can account for 20-50% of all calls to support centers
Finally, passwordless authentication can be much more difficult for hackers to compromise because it’s significantly harder to get a fingerprint over the internet than it is to get a password. Again, this is an example of passwordless authentication limiting the overall attack surface area available on the internet.
Passwordless Authentication is not perfect. USB security keys are subject to theft, one-time codes sent via email and SMS can still be targeted by social engineering attacks and some fingerprint readers have been bypassed by security researchers.
While passwordless authentication has many benefits, it can also be a single point of failure, either allowing for complete compromise or frustration for users. This is probably the biggest deterrent we see in the cybersecurity space when discussing passwordless authentication solutions.
While passwordless authentication offers a lot of benefits, it is not for every organization. It is important to consider your organization’s state of authentication. The implementation process can be complicated when using legacy software and protocols. Companies should consider what devices users have access to and the cost to update or replace technology.
Companies that already leverage single sign-on for cloud applications and integrated authentication flows for on-premises equipment are better prepared for implementation and can benefit more rapidly.
Instead of ditching passwords, passwordless authentication methods should be considered by organizations as part of their MFA procedures as many are not ready for a full passwordless deployment. For other organizations, providing a fully passwordless with multi-factor authentication using biometrics with security keys might be possible.
Learn more about the current state of cybersecurity in DOT Security’s comprehensive eBook, The State of Cybersecurity for Small Businesses