Embrace a passwordless approach to improve security
.jpg)
Passwords are still used extremely widely for user authentication, but their weaknesses mean that they are woefully inadequate for protecting sensitive systems and confidential data. Password policies cannot ameliorate the inherent weaknesses of passwords themselves. Security and risk management leaders responsible for identity and access management (IAM) should not focus on crafting the perfect policy but should invest in new authentication methods and other compensating controls in line with business needs.
Society’s increasingly digital nature has created a mass market for stolen data, creating significant challenges for chief information security officers. On the demand side, as IT organisations migrate to cloud-based applications, accessible by unmanaged devices, authentication ends up as the only security control. Attackers have identified this weakness and are relentlessly targeting passwords with a range of well-crafted account takeover attack techniques.
In many cases, IT leaders simply try to “put out fires” by insisting that employees make their passwords longer and more complex. However, excellent password policies alone can’t protect against all attacks; hard-to-guess passwords are.
Furthermore, centrally managed passwords are magnets for cyberattackers and it’s easier and less expensive than ever for these criminals to crack them. Password lists and password-cracking software is widely available and even a standard desktop PC can try billions of character combinations every second. Thus, there’s limited value in aiming to have a perfect set of rules. Yet many identity and access management (IAM) leaders, security and risk management leaders, and other stakeholders still spend a significant amount of time and energy tinkering with their organisation’s password policies to get the rules “just right.” That time and effort would be better spent assessing and implementing technical controls that can more effectively reduce the likelihood or impact of most types of attacks against passwords.
Another issue is the impact on user experience (UX). People are challenged by having to remember many different passwords for different systems, often with different length and complexity rules. Forgotten passwords lead people into convoluted password reset processes that only increase their frustration. The need to type a long, complex password for every login, especially on a smartphone, adds friction that erodes UX, which is a concern in customer interactions.
Two ways
Thus it’s highly desirable to eliminate passwords altogether. This has long been a goal, but only now is the idea of “passwordless” authentication starting to gain real traction and market visibility. Over the past year, Gartner has seen an increase in the number of enquiries from clients asking about passwordless approaches. By 2022, Gartner predicts that 60 per cent of large and global organisations, and 90 per cent of midsize organisations, will implement passwordless authentication methods for over half of all use cases — compared with less than 5 per cent of use cases in 2018.
By its nature, passwordless authentication eliminates the security and UX issues surrounding the use of passwords. It also offers a range of additional benefits to users and organisations. For users, it removes the need to remember or input passwords, which leads to a better and more streamlined UX and especially customer experience. For organisations, no longer having to centrally store and manage passwords has benefits in terms of better security, fewer breaches and reduced support costs.
There are two main ways in which security and IAM leaders can implement a passwordless approach:
Approach 1: Replace legacy passwords as the sole authentication factor
A common way to replace passwords is to adopt biometric authentication, such as fingerprint or face. Biometric authentication methods are now widely used in mobile banking applications and are being introduced into other customer and enterprise applications.
Alternatives include passwordless knowledge methods, such as pattern-based one-time password methods; phone-as-a-token methods as a single factor; the FIDO UAF (Fast Identity Online Universal Authentication Framework) which enables passwordless authentication via a method local to a person’s device; rule-based evaluation of network, device and location signals; and analytics consuming a range of familiarity signals, potentially including passive behavioural biometric methods. If the familiarity signals are unavailable or do not provide confidence in the identity claim, the tool must be able to prompt for an orthodox authentication method.
Approach 2: Replace legacy passwords as one factor in two-factor authentication
The most widely used strong authentication methods add some type of token to an existing password for two-factor authentication (2FA). Recently available solutions are two-factor and passwordless by default, which results in a single-step 2FA. For example, combining mobile push technology with a local PIN or device-native biometric mode such as Touch ID can create sufficient trust in medium-risk use cases.
Non-native biometrics
Non-native biometric modes offer more in a single-step 2FA process, as they are independent of the power-on passcode of a mobile phone. They give organisations more control over whose biometric data is being used, and typically provide superior protection against potential attacks using images or recordings. These advantages are crucial when mobile push technology is used to authenticate access from a smartphone.
Whether you're considering orthodox two-factor or multifactor authentication methods or emerging contextual/analytics techniques within an adaptive access framework, good authentication choices are characterised by risk-appropriate authentication strength, low TCO, and goodUX.
In coming to a final decision about what methods you will use and how they'll be deployed, you will also need to review the dependencies between choices of methods and delivery models. Some iteration may be required. In particular, if cloud-delivered access management (AM) tool is strongly preferred, say because of a cloud-first business application architecture, then your choices of methods may be constrained.
In one form or another, passwords have existed for centuries. And for most of their history, they’ve provided some value. But an overhaul of security measures is long overdue, especially given the speed at which cybersecurity threats evolve. While it may not always be possible to eliminate passwords from legacy implementations, security and IAM leaders would be wise to prioritise assessment and use of more robust, passwordless authentication methods. By doing so, they will simultaneously improve security and UX.
source itproportal

Latest Jobs
-
- Senior Presales Consultant | Managed Security Services | London
- London
- N/A
-
Senior Presales Consultant – Managed Security Services Location: London-commutable (Hybrid) A well-established cyber consultancy is seeking a Senior Presales Consultant to drive growth across its managed security services / advisory portfolio. This hybrid role bridges commercial and technical expertise supporting solution design, shaping customer proposals, and guiding conversations from scoping through to delivery. Key experience: Background in managed security services, including SOC operations and threat detection Strong knowledge of cloud and on-prem security tooling (SIEM, EDR, IAM) Penetration testing Proven ability to translate technical concepts into clear business value Confident in customer-facing engagements and pre-sales delivery Experience contributing to bids, proposals, and RFI/RFP responses To find out more contact me on 07884666351 Visa sponsorship is unfortunately not available for this role.
-
- Senior SOC Engineer - Microsoft | Splunk. Permanent. London
- London
- N/A
-
Senior SOC Engineer – Hybrid London Type: Full-Time A well-established cyber security provider is seeking a Senior SOC Engineer to strengthen its managed services function. This role is ideal for someone with a strong operational background in SIEM and EDR tools who can confidently lead customer onboarding, fine-tune detection strategies, and act as a senior point of contact for technical escalations. You will need to be SC clearable. Bonus points if you have SC clearance currently. You will be responsible for ensuring smooth integration of new clients into the service, optimising alerting capabilities and delivering meaningful outcomes during investigations. This is a hands-on position, working closely with internal teams and external stakeholders to maintain robust security operations across multiple environments. Prior experience in a cyber-focused MSP or MSSP Strong hands-on capability with platforms such as Microsoft Sentinel, Defender for Endpoint, or similar Proficiency in scripting and query languages such as KQL or PowerShell Knowledge of detection logic, investigation workflows, and cloud-based infrastructure Confident communicator with strong documentation and reporting skills Apply today for more information.