Embrace a passwordless approach to improve security
.jpg)
Passwords are still used extremely widely for user authentication, but their weaknesses mean that they are woefully inadequate for protecting sensitive systems and confidential data. Password policies cannot ameliorate the inherent weaknesses of passwords themselves. Security and risk management leaders responsible for identity and access management (IAM) should not focus on crafting the perfect policy but should invest in new authentication methods and other compensating controls in line with business needs.
Society’s increasingly digital nature has created a mass market for stolen data, creating significant challenges for chief information security officers. On the demand side, as IT organisations migrate to cloud-based applications, accessible by unmanaged devices, authentication ends up as the only security control. Attackers have identified this weakness and are relentlessly targeting passwords with a range of well-crafted account takeover attack techniques.
In many cases, IT leaders simply try to “put out fires” by insisting that employees make their passwords longer and more complex. However, excellent password policies alone can’t protect against all attacks; hard-to-guess passwords are.
Furthermore, centrally managed passwords are magnets for cyberattackers and it’s easier and less expensive than ever for these criminals to crack them. Password lists and password-cracking software is widely available and even a standard desktop PC can try billions of character combinations every second. Thus, there’s limited value in aiming to have a perfect set of rules. Yet many identity and access management (IAM) leaders, security and risk management leaders, and other stakeholders still spend a significant amount of time and energy tinkering with their organisation’s password policies to get the rules “just right.” That time and effort would be better spent assessing and implementing technical controls that can more effectively reduce the likelihood or impact of most types of attacks against passwords.
Another issue is the impact on user experience (UX). People are challenged by having to remember many different passwords for different systems, often with different length and complexity rules. Forgotten passwords lead people into convoluted password reset processes that only increase their frustration. The need to type a long, complex password for every login, especially on a smartphone, adds friction that erodes UX, which is a concern in customer interactions.
Two ways
Thus it’s highly desirable to eliminate passwords altogether. This has long been a goal, but only now is the idea of “passwordless” authentication starting to gain real traction and market visibility. Over the past year, Gartner has seen an increase in the number of enquiries from clients asking about passwordless approaches. By 2022, Gartner predicts that 60 per cent of large and global organisations, and 90 per cent of midsize organisations, will implement passwordless authentication methods for over half of all use cases — compared with less than 5 per cent of use cases in 2018.
By its nature, passwordless authentication eliminates the security and UX issues surrounding the use of passwords. It also offers a range of additional benefits to users and organisations. For users, it removes the need to remember or input passwords, which leads to a better and more streamlined UX and especially customer experience. For organisations, no longer having to centrally store and manage passwords has benefits in terms of better security, fewer breaches and reduced support costs.
There are two main ways in which security and IAM leaders can implement a passwordless approach:
Approach 1: Replace legacy passwords as the sole authentication factor
A common way to replace passwords is to adopt biometric authentication, such as fingerprint or face. Biometric authentication methods are now widely used in mobile banking applications and are being introduced into other customer and enterprise applications.
Alternatives include passwordless knowledge methods, such as pattern-based one-time password methods; phone-as-a-token methods as a single factor; the FIDO UAF (Fast Identity Online Universal Authentication Framework) which enables passwordless authentication via a method local to a person’s device; rule-based evaluation of network, device and location signals; and analytics consuming a range of familiarity signals, potentially including passive behavioural biometric methods. If the familiarity signals are unavailable or do not provide confidence in the identity claim, the tool must be able to prompt for an orthodox authentication method.
Approach 2: Replace legacy passwords as one factor in two-factor authentication
The most widely used strong authentication methods add some type of token to an existing password for two-factor authentication (2FA). Recently available solutions are two-factor and passwordless by default, which results in a single-step 2FA. For example, combining mobile push technology with a local PIN or device-native biometric mode such as Touch ID can create sufficient trust in medium-risk use cases.
Non-native biometrics
Non-native biometric modes offer more in a single-step 2FA process, as they are independent of the power-on passcode of a mobile phone. They give organisations more control over whose biometric data is being used, and typically provide superior protection against potential attacks using images or recordings. These advantages are crucial when mobile push technology is used to authenticate access from a smartphone.
Whether you're considering orthodox two-factor or multifactor authentication methods or emerging contextual/analytics techniques within an adaptive access framework, good authentication choices are characterised by risk-appropriate authentication strength, low TCO, and goodUX.
In coming to a final decision about what methods you will use and how they'll be deployed, you will also need to review the dependencies between choices of methods and delivery models. Some iteration may be required. In particular, if cloud-delivered access management (AM) tool is strongly preferred, say because of a cloud-first business application architecture, then your choices of methods may be constrained.
In one form or another, passwords have existed for centuries. And for most of their history, they’ve provided some value. But an overhaul of security measures is long overdue, especially given the speed at which cybersecurity threats evolve. While it may not always be possible to eliminate passwords from legacy implementations, security and IAM leaders would be wise to prioritise assessment and use of more robust, passwordless authentication methods. By doing so, they will simultaneously improve security and UX.
source itproportal
Latest Jobs
-
- Business Development | Healthcare | Warm accounts | UK
- England
- N/A
-
Business Development | Healthcare | Warm accounts | UK Healthcare Cyber Security UK Based An experienced Business Development Manager is required to drive new cyber security revenue across a warm healthcare account base. This role is focused on new business and account growth, engaging healthcare organisations to understand risk, priorities, and operational challenges, and positioning appropriate cyber security solutions and services. Key Responsibilities Drive new business sales into a warm healthcare account base Develop and close new opportunities across healthcare organisations Build senior level relationships with IT, security, and procurement stakeholders Own the full sales lifecycle from first conversation through to close Work closely with technical pre sales and delivery teams Experience Required Proven B2B new business sales experience within cyber security or technology Healthcare sector experience desirable Strong consultative sales and closing capability Ability to achieve UK Security Clearance is required UK based with flexibility to travel What’s on Offer Warm accounts with new business focus Clear revenue ownership Competitive base salary with uncapped commission
-
- Technical Pre Sales Cybersecurity Consultant. Healthcare
- England
- N/A
-
Technical Pre Sales Cybersecurity Consultant UK Remote | Healthcare Focus Overview We are seeking an experienced Technical Pre Sales Cybersecurity Consultant to support healthcare organisations by delivering advisory, solution design, and security uplift services. This role focuses on improving security outcomes, addressing operational challenges, and enabling informed technology decisions across complex and regulated environments. The position blends technical pre sales expertise with a consultative approach, working closely with clinical, technical, and commercial stakeholders to shape effective cybersecurity solutions. The individual must be able to achieve UK Security Clearance. Key Responsibilities Provide technical pre sales support across cybersecurity solutions and services for healthcare organisations Engage stakeholders to understand security challenges, risks, and operational pain points Deliver advisory guidance and recommendations to strengthen security posture and resilience Translate customer requirements into clear, outcome focused technical and commercial solution designs Act as a trusted technical advisor throughout the sales and early delivery lifecycle Produce clear technical documentation, recommendations, and customer facing materials suitable for regulated environments Collaborate closely with sales, delivery, and technical teams to align solutions with customer needs Experience and Skills Proven experience in technical pre sales or cybersecurity consultancy Experience working within healthcare or other highly regulated sectors Broad knowledge of cybersecurity technologies, managed services, and risk based approaches Strong communication skills with the ability to engage both technical and non technical stakeholders Confident operating in a client facing, consultative role UK based role with remote working Occasional travel for customer engagement as required
-
- Contract Technical Pre Sales Cyber Security Healthcare. SC clearance needed
- England
- Outside IR35
-
Contract Technical Pre Sales Cyber Security Healthcare Outside IR35 Contract | UK Remote | Healthcare Focus Existing SC clearance is required. Overview Seeking an experienced Technical Pre Sales Cybersecurity Consultant is required to deliver advisory and uplift services across complex healthcare organisations. This Outside IR35 contract operates on a consultancy basis, focused on improving security outcomes, addressing operational pain points, and supporting informed Cyber Security decisions. The role combines deep technical pre sales capability with consultative advisory delivery, working across clinical, technical, and commercial stakeholders to shape effective and proportionate cybersecurity solutions. Responsibilities Provide technical pre sales consultancy across cybersecurity solutions and services within healthcare environments Engage senior stakeholders to understand security challenges, risks, and operational pain points Deliver advisory guidance and uplift recommendations to improve security posture, resilience, and maturity Translate healthcare requirements into clear, outcome focused technical and commercial propositions Act as a trusted technical advisor throughout the pre sales and early engagement lifecycle Produce concise technical documentation, recommendations, and advisory outputs suitable for regulated healthcare settings Experience Strong background in technical pre sales or cybersecurity consultancy Experience working with healthcare or other highly regulated environments Broad understanding of cybersecurity technologies, managed services, and risk based security approaches Ability to communicate complex technical concepts to both technical and non technical audiences Comfortable operating independently in a client facing advisory role
-
- London Sales Manager, Key Clients. Security. Immediate
- London
- N/A
-
London Sales Manager, Key Clients A senior sales leadership role within the cyber security services and technology market, focused on account development and revenue growth across key clients. You will lead a sales team with responsibility for customer retention, increasing share of wallet and maintaining a strong commercial pipeline. The role works closely with technical, delivery and marketing teams, as well as technology partners. Key focus Lead and coach a field based sales team Own forecasting, pipeline quality and revenue delivery Drive renewals and account development Expand customer investment across services and solutions Build relationships with vendors and partners Background Proven experience managing enterprise sales teams Consistent performance against revenue targets Cyber or IT security sales leadership experience Exposure to Palo Alto, Check Point, Microsoft, etc Commercially focused with a structured sales approach A role for a sales leader focused on long term client value and sustainable growth.