From password to password: A guide for businesses

Check out all the on-demand sessions from the Intelligent Security Summit here.


Password. We use them every day. We love them and we hate them. We are constantly frustrated with them – coming up with, and remembering, the necessary string of upper and lower case letters, numbers and special characters.

Simply put, “passwords are weak and user-unfriendly,” said Gartner senior director analyst Paul Rabinovich.

And they pose a major security risk: 81% of hacking-related breaches use stolen and/or weak passwords.

Consumers recognize this, with 68% believing that passwords are the least secure security method and 94% willing to take extra security measures to prove their identity. At the same time, more than half of us continue to use passwords.

Event

Intelligent Security Summit On-Demand

Learn the critical role of AI and ML in cybersecurity and industry-specific case studies. Watch sessions on demand today.

Look here

Call it habit, unwillingness to change or simply indifference, passwords have become entrenched – but we need to break the habit, say experts. In particular, many in the security industry are pushing for passwordless authentication methods and the use of passwords – and some even predict that these will become industry standards.

“Passport keys are a significant advance in the identity and security industry,” said Ralph Rodriguez, president and CPO of digital identity company Daon. “They are a far safer alternative to passwords, especially at a time when cyber threats are on the rise.”

Access keys: Moving towards widespread adoption

Passport keys are a form of passwordless identity security that enables FIDO2 authentication (standards set by the FIDO Alliance, which is dedicated to reducing reliance on passwords). Industry giants including Apple, Microsoft and Google have recently supported passwords, partnering with the FIDO Alliance and the World Wide Web Consortium.

This authentication method uses cryptographic keys and stores credentials for multiple devices in the cloud, Rodriguez explained. Users combine a password key on their smartphone with securely stored and encrypted cloud-based credentials.

“Passkeys eliminate the need for passwords, enabling a more secure and convenient way of account authentication,” said Rodriguez. They can be integrated with existing applications and can significantly reduce the incidence of identity theft and phishing.

Ultimately, they will become the industry standard, Rodriguez predicted, and adoption by multinational giants will help spur their widespread use.

“Enterprise use of passwords, especially in industries responsible for financial and personal data, is a huge step in the right direction,” Rodriguez said.

But really, is this the end of passwords?

Because passwordless authentication methods challenge users to use alternative credentials, they will further reduce — and potentially even eliminate — passwords, Rabinovich said.

Right now, organizations can have multiple applications that depend on a password in the same directory. But as those applications migrate to passwordless authentication, “one day the password may no longer be necessary,” he said.

If or when this point is reached, passwords can be completely disabled in a directory (although as of now only a few directories and identity services allow administrators to do this). In some cases, administrators may be able to set passwords to a random and secure value that is not shared with the user, “effectively eliminating the password from any user experience,” Rabinovich said.

As he noted, generating and remembering a good password is hard (and harder still if you have to have many). And if you forget one or it gets compromised, you’ll need to go through a password reset process. While many organizations implement self-service password reset (SSPR), administrator-assisted password resets can be costly: $15 to $70 per incident.

Still, all applications have relied on passwords, and users are used to them “even if they love to hate them,” Rabinovich said.

Therefore, new authentication methods and new processes for acquisition, registration, daily authentication and account recovery must be carefully designed.

Like everything else, pros and cons

Passport keys are a safer and faster alternative to passwords, Rodriguez said, and their ability to transfer credentials between devices speeds and simplifies account recovery. For example, if a user loses their phone, they can retrieve the passcode and use it on another device.

“When used with user experience (UX) in mind, (passkeys) can help consumers break the habit of using passwords,” Rodriguez said.

Still, he pointed out, they may not be appropriate for all business scenarios, or for government agencies that require compliance with National Institute of Standards and Technology (NIST) guidelines. The same applies to highly regulated industries such as financial services, where compliance requirements vary from country to country or region.

Passport keys are also not as strong as other FIDO standards, which use biometric verification methods such as voice, touch and facial recognition, Rodriguez said. And access keys cannot be used for transactions with financial institutions due to Know Your Customer (KYC) standards that were implemented to protect financial institutions from fraud, corruption, money laundering and terrorist financing. They cannot establish the users’ identity; if implemented, they could increase synthetic fraud.

Using passwords alone in financial transactions can still pose certain dangers, he said, and additional biometric authentication should be considered.

Because regulators have not yet accepted the use of an access key alone to meet security standards required in highly regulated industries such as banking and insurance, passwords must, at least for now, be combined with another authentication factor.

“The number of factors involved in authentication is a decision that will ultimately be made by the business or enterprise, but consumers and end users will have a say in the matter,” Rodriguez said.

Not the end-all, be-all

Rabinovich agreed that “not all passwordless authentication methods are created equal.”

“All methods suffer from certain security weaknesses,” he said.

For example, SMS and voice-delivered one-time passwords (OTPs) are not as secure as second or multi-factor authentication (MFA), he said. Therefore, they should only be used in very low-risk applications.

Similarly, mobile push combined with local device authentication suffers from “push bombing” or “push fatigue,” he pointed out. Bad actors can take advantage of this by inducing an application to bombard users with push messages that they will eventually accept.

Although FIDO2 has very good security features – for example, it is phishing resistant – it does not specify additional processes such as user credential registration protection or account recovery rules. This can result in a weak link. So FIDO and all other authentication methods must be designed carefully.

Support for FIDO by authentication and access management providers is almost universal. Some established vendors typically limit themselves to just FIDO2, but some—including Microsoft, Okta, RSA, and ForgeRock—support additional authentication methods. These may include magic links (where users log into an account by clicking on a link sent to them, rather than typing in a username and password) and biometric authentication.

New passwordless specialists – including 1KOSMOS, Beyond Identity, HYPR, Secret Double Octopus, Trusona, Truu and Veridium – support many enterprise use cases.

FIDO2 is “very promising”, but its adoption is hindered by the unavailability of smartphone-based roaming authentications that allow the smartphone to be used as a companion device for users working on PCs. However, this will change with the introduction and standardization of passwords, Rabinovich said.

A gradual evolution without passwords

Going forward, certain application architectures will make the use of passwordless authentication easier, because identity providers/authentication authorities may – or soon will – support passwordless authentication.

But “for legacy password-dependent applications, this will be slow,” Rabinovich said. He pointed out that many new SaaS applications still assume the password.

Ultimately, “it will be a gradual process,” Rabinovich said, “because passwords are so entrenched.”

VentureBeat’s mission will be a digital town square for technical decision makers to gain knowledge about transformative business technology and transactions. Discover our orientations.

Leave a Reply

Your email address will not be published. Required fields are marked *