Embrace a passwordless approach to improve security
Passwords are still used extremely widely for user authentication, but their weaknesses mean that they are woefully inadequate for protecting sensitive systems and confidential data. Password policies cannot ameliorate the inherent weaknesses of passwords themselves. Security and risk management leaders responsible for identity and access management (IAM) should not focus on crafting the perfect policy but should invest in new authentication methods and other compensating controls in line with business needs.
Society’s increasingly digital nature has created a mass market for stolen data, creating significant challenges for chief information security officers. On the demand side, as IT organisations migrate to cloud-based applications, accessible by unmanaged devices, authentication ends up as the only security control. Attackers have identified this weakness and are relentlessly targeting passwords with a range of well-crafted account takeover attack techniques.
In many cases, IT leaders simply try to “put out fires” by insisting that employees make their passwords longer and more complex. However, excellent password policies alone can’t protect against all attacks; hard-to-guess passwords are.
Furthermore, centrally managed passwords are magnets for cyberattackers and it’s easier and less expensive than ever for these criminals to crack them. Password lists and password-cracking software is widely available and even a standard desktop PC can try billions of character combinations every second. Thus, there’s limited value in aiming to have a perfect set of rules. Yet many identity and access management (IAM) leaders, security and risk management leaders, and other stakeholders still spend a significant amount of time and energy tinkering with their organisation’s password policies to get the rules “just right.” That time and effort would be better spent assessing and implementing technical controls that can more effectively reduce the likelihood or impact of most types of attacks against passwords.
Another issue is the impact on user experience (UX). People are challenged by having to remember many different passwords for different systems, often with different length and complexity rules. Forgotten passwords lead people into convoluted password reset processes that only increase their frustration. The need to type a long, complex password for every login, especially on a smartphone, adds friction that erodes UX, which is a concern in customer interactions.
Thus it’s highly desirable to eliminate passwords altogether. This has long been a goal, but only now is the idea of “passwordless” authentication starting to gain real traction and market visibility. Over the past year, Gartner has seen an increase in the number of enquiries from clients asking about passwordless approaches. By 2022, Gartner predicts that 60 per cent of large and global organisations, and 90 per cent of midsize organisations, will implement passwordless authentication methods for over half of all use cases — compared with less than 5 per cent of use cases in 2018.
By its nature, passwordless authentication eliminates the security and UX issues surrounding the use of passwords. It also offers a range of additional benefits to users and organisations. For users, it removes the need to remember or input passwords, which leads to a better and more streamlined UX and especially customer experience. For organisations, no longer having to centrally store and manage passwords has benefits in terms of better security, fewer breaches and reduced support costs.
There are two main ways in which security and IAM leaders can implement a passwordless approach:
Approach 1: Replace legacy passwords as the sole authentication factor
A common way to replace passwords is to adopt biometric authentication, such as fingerprint or face. Biometric authentication methods are now widely used in mobile banking applications and are being introduced into other customer and enterprise applications.
Alternatives include passwordless knowledge methods, such as pattern-based one-time password methods; phone-as-a-token methods as a single factor; the FIDO UAF (Fast Identity Online Universal Authentication Framework) which enables passwordless authentication via a method local to a person’s device; rule-based evaluation of network, device and location signals; and analytics consuming a range of familiarity signals, potentially including passive behavioural biometric methods. If the familiarity signals are unavailable or do not provide confidence in the identity claim, the tool must be able to prompt for an orthodox authentication method.
Approach 2: Replace legacy passwords as one factor in two-factor authentication
The most widely used strong authentication methods add some type of token to an existing password for two-factor authentication (2FA). Recently available solutions are two-factor and passwordless by default, which results in a single-step 2FA. For example, combining mobile push technology with a local PIN or device-native biometric mode such as Touch ID can create sufficient trust in medium-risk use cases.
Non-native biometric modes offer more in a single-step 2FA process, as they are independent of the power-on passcode of a mobile phone. They give organisations more control over whose biometric data is being used, and typically provide superior protection against potential attacks using images or recordings. These advantages are crucial when mobile push technology is used to authenticate access from a smartphone.
Whether you're considering orthodox two-factor or multifactor authentication methods or emerging contextual/analytics techniques within an adaptive access framework, good authentication choices are characterised by risk-appropriate authentication strength, low TCO, and goodUX.
In coming to a final decision about what methods you will use and how they'll be deployed, you will also need to review the dependencies between choices of methods and delivery models. Some iteration may be required. In particular, if cloud-delivered access management (AM) tool is strongly preferred, say because of a cloud-first business application architecture, then your choices of methods may be constrained.
In one form or another, passwords have existed for centuries. And for most of their history, they’ve provided some value. But an overhaul of security measures is long overdue, especially given the speed at which cybersecurity threats evolve. While it may not always be possible to eliminate passwords from legacy implementations, security and IAM leaders would be wise to prioritise assessment and use of more robust, passwordless authentication methods. By doing so, they will simultaneously improve security and UX.
- SailPoint File Access Manager Consultant/ Architect
- discussed on applications
SailPoint File Access Manager (SailPoint FAM) Consultant/ Architect is required for an up coming projects, Ideally looking for someone with experience in Designing and deploying SailPoint FAM , this is a new Deployment, you will work with customer in the initial workshop phase, to understand requirements and to get the initial design, you will then be responsible for deploying the solution. This is a home based role, with some onsite visits required during the length of the project. We are looking for someone who has previous experience in Deploying SailPoint FAM (ideally done design work) Need to have experience with SharePoint and ideally Azure and Share file
- Outside IR35 Contract- SC / DV - Cloud / VMware Solution Architect
- Outside IR35
Solution Architect Contract - with active Security Clearance needed for Outside IR35 Contract London. SC / DV (must be willing to undergo DV) 6 month rolling Immediate Experience delivering technical Security Architecture design / assurance of security design. Specific experience with Cloud and VMWARE technologies Cross domain experience desirable HLD / LLD Current SC Clearance a must. London 3 days a week Immediately interviewing.
- Contract Night Shift Senior SOC Analyst | Microsoft Defender | Outside IR35
- United Kingdom
- Outside IR35
Contract Night Shift Senior SOC Analyst | Microsoft Defender / Sentinel | Outside IR35 Looking for an experienced SOC analyst to cover a night shift SOC operation. Level 2 technical Analyst. You must have current hands on technical experience with Microsoft defender / Sentinel within a customer facing SOC environment. This is a UK based position.
- DV Cleared CyberArk Consultant- Contract
- City of London
- Upto £700 per day
CyberArk Consultant is needed to be responsible for leading the deployment of CyberArk solutions for this Secure government site You will work with customer, helping to create CyberArk Strategic Roadmaps, on-boarding accounts, product and process integration into the CyberArk Solution and Proviso of Installation and technical Documentation. We are looking for this individual to have experience in: In CyberArk deployment, and ideally leady the deployment both strategically and also technically for this project we need the consultant to hold current DV cleared status For the right individual this could be a long term project.