Embrace a passwordless approach to improve security
Passwords are still used extremely widely for user authentication, but their weaknesses mean that they are woefully inadequate for protecting sensitive systems and confidential data. Password policies cannot ameliorate the inherent weaknesses of passwords themselves. Security and risk management leaders responsible for identity and access management (IAM) should not focus on crafting the perfect policy but should invest in new authentication methods and other compensating controls in line with business needs.
Society’s increasingly digital nature has created a mass market for stolen data, creating significant challenges for chief information security officers. On the demand side, as IT organisations migrate to cloud-based applications, accessible by unmanaged devices, authentication ends up as the only security control. Attackers have identified this weakness and are relentlessly targeting passwords with a range of well-crafted account takeover attack techniques.
In many cases, IT leaders simply try to “put out fires” by insisting that employees make their passwords longer and more complex. However, excellent password policies alone can’t protect against all attacks; hard-to-guess passwords are.
Furthermore, centrally managed passwords are magnets for cyberattackers and it’s easier and less expensive than ever for these criminals to crack them. Password lists and password-cracking software is widely available and even a standard desktop PC can try billions of character combinations every second. Thus, there’s limited value in aiming to have a perfect set of rules. Yet many identity and access management (IAM) leaders, security and risk management leaders, and other stakeholders still spend a significant amount of time and energy tinkering with their organisation’s password policies to get the rules “just right.” That time and effort would be better spent assessing and implementing technical controls that can more effectively reduce the likelihood or impact of most types of attacks against passwords.
Another issue is the impact on user experience (UX). People are challenged by having to remember many different passwords for different systems, often with different length and complexity rules. Forgotten passwords lead people into convoluted password reset processes that only increase their frustration. The need to type a long, complex password for every login, especially on a smartphone, adds friction that erodes UX, which is a concern in customer interactions.
Thus it’s highly desirable to eliminate passwords altogether. This has long been a goal, but only now is the idea of “passwordless” authentication starting to gain real traction and market visibility. Over the past year, Gartner has seen an increase in the number of enquiries from clients asking about passwordless approaches. By 2022, Gartner predicts that 60 per cent of large and global organisations, and 90 per cent of midsize organisations, will implement passwordless authentication methods for over half of all use cases — compared with less than 5 per cent of use cases in 2018.
By its nature, passwordless authentication eliminates the security and UX issues surrounding the use of passwords. It also offers a range of additional benefits to users and organisations. For users, it removes the need to remember or input passwords, which leads to a better and more streamlined UX and especially customer experience. For organisations, no longer having to centrally store and manage passwords has benefits in terms of better security, fewer breaches and reduced support costs.
There are two main ways in which security and IAM leaders can implement a passwordless approach:
Approach 1: Replace legacy passwords as the sole authentication factor
A common way to replace passwords is to adopt biometric authentication, such as fingerprint or face. Biometric authentication methods are now widely used in mobile banking applications and are being introduced into other customer and enterprise applications.
Alternatives include passwordless knowledge methods, such as pattern-based one-time password methods; phone-as-a-token methods as a single factor; the FIDO UAF (Fast Identity Online Universal Authentication Framework) which enables passwordless authentication via a method local to a person’s device; rule-based evaluation of network, device and location signals; and analytics consuming a range of familiarity signals, potentially including passive behavioural biometric methods. If the familiarity signals are unavailable or do not provide confidence in the identity claim, the tool must be able to prompt for an orthodox authentication method.
Approach 2: Replace legacy passwords as one factor in two-factor authentication
The most widely used strong authentication methods add some type of token to an existing password for two-factor authentication (2FA). Recently available solutions are two-factor and passwordless by default, which results in a single-step 2FA. For example, combining mobile push technology with a local PIN or device-native biometric mode such as Touch ID can create sufficient trust in medium-risk use cases.
Non-native biometric modes offer more in a single-step 2FA process, as they are independent of the power-on passcode of a mobile phone. They give organisations more control over whose biometric data is being used, and typically provide superior protection against potential attacks using images or recordings. These advantages are crucial when mobile push technology is used to authenticate access from a smartphone.
Whether you're considering orthodox two-factor or multifactor authentication methods or emerging contextual/analytics techniques within an adaptive access framework, good authentication choices are characterised by risk-appropriate authentication strength, low TCO, and goodUX.
In coming to a final decision about what methods you will use and how they'll be deployed, you will also need to review the dependencies between choices of methods and delivery models. Some iteration may be required. In particular, if cloud-delivered access management (AM) tool is strongly preferred, say because of a cloud-first business application architecture, then your choices of methods may be constrained.
In one form or another, passwords have existed for centuries. And for most of their history, they’ve provided some value. But an overhaul of security measures is long overdue, especially given the speed at which cybersecurity threats evolve. While it may not always be possible to eliminate passwords from legacy implementations, security and IAM leaders would be wise to prioritise assessment and use of more robust, passwordless authentication methods. By doing so, they will simultaneously improve security and UX.
- IAM Consultant- One Identity Manager- UK Wide
- Upto £75,000 plus excellent benefits
One Identity IAM consultant is needed for this expanding UK based business, you will be responsible for: Developing and Supporting the Identity and Access management system based-on One Identity products Active Roles Server and Identity Manager. Further develop One Identity Manager’s integration with Service Now to provide automated JML processes and application access requests and fulfilment. Work across the business ensuring that the IAM solutions integrates into both the technology and business systems and processes, ideally automating as mush as possible. Work with the Governance Risk & Compliance (GRC) team to provide application access attestations and toxic combination alerting and reporting. Work on a mixture of IAM related projects to help to integrate new ideas and technology into the business to ensure the business stays fully compliant Assist in ensuring that all IAM capabilities are mapped to internal processes, policies, and standards. Develop metrics to measure and improve and also compile reports around the solution If you are interested in this opportunity we are looking for someone who is skilled within Identity Acess management, you will need to have worked with the One Identity product, ideally both Active Roles Server and Identity Manager Experience in managing and integrating with Microsoft systems (on-premise and cloud), such as Active Directory, Exchange, Office, SharePoint, etc.
- SailPoint Integration Consultant
- Upto £75000 plus benefits
SailPoint Integration Consultant. SailPoint Integration Consultant is needed for this expanding service business to help them with complex deployment with their FTSE focused customer base. They are looking for experienced SailPoint Integration Consultants who have: • Strong solution designing experience with in depth understanding of IAM concepts and thorough understanding of Sailpoint domain. • Thorough understanding of Identity and Access Governance concepts • Leading and creating Identity & Access Management (IAM) technical architecture • Secure by Design principles in Identify Access management, Privilege Access management • Familiar with cloud architectures, data management and source control from a security perspective. This is a great opportunity to join a business that is growing and looking for individuals who want to grow and develop and work on some of the most complex Sailpoint deployments.
- CyberArk Integration Consultant
- Greater London
- upto 75,000 plus benefits
CyberArk Integration Consultant. CyberArk Integration Consultant is needed for this expanding service business to help them with complex deployment with their FTSE focused customer base. They are looking for experienced CyberArk Integration Consultants who have: • Strong solution designing experience with in depth understanding of IAM concepts and thorough understanding of CyberArk domain. • Thorough understanding of Identity and Access Governance concepts • Leading and creating Identity & Access Management (IAM) technical architecture • Secure by Design principles in Identify Access management, Privilege Access management • Familiar with cloud architectures, data management and source control from a security perspective. This is a great opportunity to join a business that is growing and looking for individuals who want to grow and develop and work on some of the most complex CyberArk deployments.
- Penetration Tester, UK based. Ability to achieve SC clearance
- United Kingdom
Experienced Penetration tester- UK based with the ability to achieve SC clearance. On-going training and development and paid certifications / renewals. Interested to hear from all areas of penetration testing, web app, infrastructure, mobile, etc. MUST have current hands on experience delivering penetration testing. Ideally from a consultancy background with experience working with multiple clients. OSCP / CREST / CHECK / Tigerscheme penetration testing experience / certifications desirable. Apply today for more details. All information kept in the strictest of confidence.