Embrace a passwordless approach to improve security
Passwords are still used extremely widely for user authentication, but their weaknesses mean that they are woefully inadequate for protecting sensitive systems and confidential data. Password policies cannot ameliorate the inherent weaknesses of passwords themselves. Security and risk management leaders responsible for identity and access management (IAM) should not focus on crafting the perfect policy but should invest in new authentication methods and other compensating controls in line with business needs.
Society’s increasingly digital nature has created a mass market for stolen data, creating significant challenges for chief information security officers. On the demand side, as IT organisations migrate to cloud-based applications, accessible by unmanaged devices, authentication ends up as the only security control. Attackers have identified this weakness and are relentlessly targeting passwords with a range of well-crafted account takeover attack techniques.
In many cases, IT leaders simply try to “put out fires” by insisting that employees make their passwords longer and more complex. However, excellent password policies alone can’t protect against all attacks; hard-to-guess passwords are.
Furthermore, centrally managed passwords are magnets for cyberattackers and it’s easier and less expensive than ever for these criminals to crack them. Password lists and password-cracking software is widely available and even a standard desktop PC can try billions of character combinations every second. Thus, there’s limited value in aiming to have a perfect set of rules. Yet many identity and access management (IAM) leaders, security and risk management leaders, and other stakeholders still spend a significant amount of time and energy tinkering with their organisation’s password policies to get the rules “just right.” That time and effort would be better spent assessing and implementing technical controls that can more effectively reduce the likelihood or impact of most types of attacks against passwords.
Another issue is the impact on user experience (UX). People are challenged by having to remember many different passwords for different systems, often with different length and complexity rules. Forgotten passwords lead people into convoluted password reset processes that only increase their frustration. The need to type a long, complex password for every login, especially on a smartphone, adds friction that erodes UX, which is a concern in customer interactions.
Two ways
Thus it’s highly desirable to eliminate passwords altogether. This has long been a goal, but only now is the idea of “passwordless” authentication starting to gain real traction and market visibility. Over the past year, Gartner has seen an increase in the number of enquiries from clients asking about passwordless approaches. By 2022, Gartner predicts that 60 per cent of large and global organisations, and 90 per cent of midsize organisations, will implement passwordless authentication methods for over half of all use cases — compared with less than 5 per cent of use cases in 2018.
By its nature, passwordless authentication eliminates the security and UX issues surrounding the use of passwords. It also offers a range of additional benefits to users and organisations. For users, it removes the need to remember or input passwords, which leads to a better and more streamlined UX and especially customer experience. For organisations, no longer having to centrally store and manage passwords has benefits in terms of better security, fewer breaches and reduced support costs.
There are two main ways in which security and IAM leaders can implement a passwordless approach:
Approach 1: Replace legacy passwords as the sole authentication factor
A common way to replace passwords is to adopt biometric authentication, such as fingerprint or face. Biometric authentication methods are now widely used in mobile banking applications and are being introduced into other customer and enterprise applications.
Alternatives include passwordless knowledge methods, such as pattern-based one-time password methods; phone-as-a-token methods as a single factor; the FIDO UAF (Fast Identity Online Universal Authentication Framework) which enables passwordless authentication via a method local to a person’s device; rule-based evaluation of network, device and location signals; and analytics consuming a range of familiarity signals, potentially including passive behavioural biometric methods. If the familiarity signals are unavailable or do not provide confidence in the identity claim, the tool must be able to prompt for an orthodox authentication method.
Approach 2: Replace legacy passwords as one factor in two-factor authentication
The most widely used strong authentication methods add some type of token to an existing password for two-factor authentication (2FA). Recently available solutions are two-factor and passwordless by default, which results in a single-step 2FA. For example, combining mobile push technology with a local PIN or device-native biometric mode such as Touch ID can create sufficient trust in medium-risk use cases.
Non-native biometrics
Non-native biometric modes offer more in a single-step 2FA process, as they are independent of the power-on passcode of a mobile phone. They give organisations more control over whose biometric data is being used, and typically provide superior protection against potential attacks using images or recordings. These advantages are crucial when mobile push technology is used to authenticate access from a smartphone.
Whether you're considering orthodox two-factor or multifactor authentication methods or emerging contextual/analytics techniques within an adaptive access framework, good authentication choices are characterised by risk-appropriate authentication strength, low TCO, and goodUX.
In coming to a final decision about what methods you will use and how they'll be deployed, you will also need to review the dependencies between choices of methods and delivery models. Some iteration may be required. In particular, if cloud-delivered access management (AM) tool is strongly preferred, say because of a cloud-first business application architecture, then your choices of methods may be constrained.
In one form or another, passwords have existed for centuries. And for most of their history, they’ve provided some value. But an overhaul of security measures is long overdue, especially given the speed at which cybersecurity threats evolve. While it may not always be possible to eliminate passwords from legacy implementations, security and IAM leaders would be wise to prioritise assessment and use of more robust, passwordless authentication methods. By doing so, they will simultaneously improve security and UX.
source itproportal
Latest Jobs
-
- PCI QSA needed. Discreet Opportunity | London | Client facing
- London
- N/A
-
CH08421 PCI QSA needed. Discreet Opportunity | London | Client facing. Payment Card Industry - Qualified Security Assessor - London Seeking someone looking to accelerate their career, into a variety of interesting clients / projects. Must be happy to be onsite with clients- this is not a fully remote role. You must currently hold a valid CISSP or CISM or ISO27001 lead implementer certification AND one of the following; CISA, GSNA, iso27001 lead Auditor, CIA or IRCA ISMS auditor+ Visa sponsorship not available. Apply today for more information chris.holt@dclsearch.com Use this whatapp link to reach out https://wa.me/message/6USF5RAQBOZIP1
-
- Network / Security Infrastructure Engineer | West London | Permanent
- London
- N/A
-
Network / Security Infrastructure Engineer | West London | Current Config, Install, upgrade experience On prem / Datacetner experience essential. Hands on experience MUST include: Routing, Switching, Network Security (firewall, IDS etc), Microsoft exchange / Exchange 365. Scripting / automation experience wanted. Python, Powershell etc Regular travel to West London is required. Visa sponsorship not available. Apply today for more information chris.holt@dclsearch.com Use this whatapp link to reach out https://wa.me/message/6USF5RAQBOZIP1
-
- Security Operations / information Security Analyst / Engineer. London
- London
- N/A
-
Security Operations / information Security Analyst / Engineer needed for a London opportunity. A technical hands on role to investigate, escalate and proactively work to protect a globally recognised brand. Someone with SOC Analyst / security engineering background would be well suited. This position will join a small team and would suit someone that has broad experience across the security threat landscape. Experience / knowledge across industry GRC standards such NIST, ISO27001 etc very advantageous and a priority. You will work across multiple teams proactively working to secure the business. Must be able to commute to Central London 3 days a week. Visa sponsorship not available Apply today to find out more.
-
- Security Cleared Penetration Tester: United Kindom
- N/A
- N/A
-
Security Cleared Penetration Tester Deliver technical Penetration tests to the NCSC CHECK standard. Active CHECK Member or Leader status desirable either in Web Application or Infrastructure. Reach out to find out more. Whatsapp directly here https://wa.me/message/6USF5RAQBOZIP1 Or apply today