Though the death of passwords has long been predicted, the shift to other forms of authentication has been freezing slow until recently.
The pandemic-driven shift to remote working has increased interest in securing broader networks and pushed passwordless authentication into the spotlight. We spoke to Tom Bridge, Principal Product Manager at JumpCloud, to learn more about the technology and its benefits.
BN: What exactly is passwordless?
TB: Passwordless access is what it says – logging in or authenticating through other forms of authentication to verify who someone is before granting them access. By replacing passwords with another route, you can stop common attacks on your IT such as credential stuffing, account password guessing, or social engineering to share them. Common passwordless authentication methods include using employee devices with push authentication, smart links sent to email addresses, or a physical token. Similarly, passwordless can use biometric authentication with a fingerprint or facial recognition to prove someone is who they say they are at a specific time and place.
It also overcomes the problem of having to manage password policies that require users to change their credentials periodically. This can result in more frequent password reuse and then accounts becoming less secure over time.
Passwordless also covers the use of passkeys, which means you can lock down authentication for a specific domain. This means users cannot be phished, which is one of the biggest problems businesses face regardless of their size. For example, Apple added support for passkeys to help everyone adopt this approach.
BN: Why should companies concern themselves with this area? How does it help you?
TB: Verizon found that 61 percent of the security breaches organizations faced involved credentials. Instead of software vulnerabilities or software zero-day holes that required a tremendous amount of skill to fix, many security breaches are tantamount to leaving a door to your home unlocked. It doesn’t take much skill to take advantage of such access, so attackers take advantage of a collected ID, just like a thief would when he stumbles upon a door with a key in the lock.
Removing passwords and replacing them with better, more effective, and more secure identity management methods should help resolve many of these potential problems over time. It prevents these simple problems from causing hackers to gain access to the network or applications and try to find other ways to steal data or implement ransomware.
BN: Why is this area getting so much hype?
TB: Many organizations are striving to implement Zero Trust security models so they can improve their defenses, and effective identity management is essential if you want to move to Zero Trust. You have to prove you are who you say you are and then maintain that level of security. This often means some changes in how security is implemented, and passwordless is a key part of that change.
Passwordless has to be as easy to deploy and use as traditional passwords, or people won’t adopt it or find ways to circumvent it. Just saying you’re going passwordless isn’t a magic bullet that will magically prevent hacks. An effective implementation of passwordless authentication requires execution and training to adopt.
According to a Productiv study from last year, a company has an average of 254 applications. Of all these apps, only 45 percent are used regularly. Teams will use between 40 and 60 apps at a time, and remembering credentials for all those systems is just hard work. Deploying a password manager and single sign-on (SSO) can help your employees access their systems smarter, faster, and make things easier and more secure for them.
BN: OK, what are the practical steps people can take to do this?
TB: There are three steps to implementing passwordless solutions. First, you need to centralize your authentication approach. Instead of relying on each application’s login process, run everything through a single checkpoint. This consolidates the number of logins that users must complete and the number of passwords that users must remember.
Using SSO tied to a really strong and secure identity is better than having multiple applications, each with their own applications. Likewise, using a password manager can simplify controlling access to all of these applications. For businesses, tools like SSO and password managers can be managed centrally, making it easier to distribute access across users and groups, and revoke user access if you need to revoke that access.
You can then enforce multi-factor authentication, requiring users to prove who they say they are. Once SSO is set up, however, they should only need to do this once. MFA is a fantastic precursor to passwordless authentication because it still has a stored password while users get used to the verification factors typically used in passwordless authentication.
Finally, you should look at implementing a FIDO login structure and then how to scale it over time. FIDO is a set of standards for secure passwordless authentication developed by the FIDO Alliance so you can future-proof your approach. You can start your implementation with a group of users, gather feedback and fix any perceived issues, and then roll out to more employees. This should help you scale but also keep things in order.
BN: Will passwordless prevent hacks?
TB: Passwordless is not a silver bullet. It will stop many potential hacks, but it won’t fully improve your overall attack surface. What it will achieve is make security easier to implement and maintain over time, it protects against some of the simpler script attacks that hackers can run, and it prevents some of the social engineering attacks that attackers use. You can’t give out your password if you don’t know it, and you can’t share your authentication credentials. This approach fits well with other security techniques such as device fingerprinting and conditional access.
The most important thing to keep in mind is that going passwordless is about keeping things user-friendly for your employees and making it harder for an attacker to break into a corporate network.
photo credit: reborn55/depositphotos.com
#time #passwordless #authentication
Leave a Comment