SC Magazine: The Value of Passwordless Technology. Learning from the American Prohibition Era
Author: Stephen Cox
Say “password” today and the word will conjure up visions of a laptop or an application – not secret societies. Still, passwords have played an important role throughout human history to distinguish between who could and couldn’t enter a specific area, club or level of access to information.
During the American Prohibition Era, patrons often used passwords to get into a speakeasy or club serving alcohol. Say the wrong word to the doorman and you were kept out in the cold. Did this system keep lawmen out? Not at all. Patrons often gave up passwords, while secret agents could guess many of them. Sometimes they simply pushed right past the doormen.
What’s interesting: the same flaws and vulnerabilities that might compromise a 1920s speakeasy are still bedeviling IT departments in 2019. Passwords are still a popular strategy when it comes to blocking unwanted visitors. In fact, they’re often the only cybersecurity defense employed, leaving many enterprise assets laid bare.
The problem is that passwords are, and have always been, insecure. They pose a hindrance in today’s cybersecurity industry and research confirms they are the weakest link. Despite many high-profile breaches that have seized media headlines, people still practice poor password hygiene in their personal and professional lives. 81 percent of Americans reuse passwords. Most users can’t remember long strings of letters and numbers, and the result is harrowing facts like “123456” and “password” enduring as the most popular choices.
There are the customers and employees that keep their passwords written on notes tucked into wallets or attached to their monitor. Some share their passwords with other employees. Leadership often fails their workforces by not applying industry best practices with regards to password management.
Passwords also impose a burden on an IT workforce. They have to generate temporary passwords for new employees or users. They are constantly taking helpdesk calls for customers with lost or forgotten passwords. This eats up staff hours and budget. Even worse, users actively resent having to remember more than a dozen passwords for different applications at work and still more apps at home.
The most pressing issue with passwords is that criminals know they are low-hanging fruit. Ever present phishing scams and an avalanche of stolen credentials are major threats to most organizations. Attackers launch credential stuffing attacks with ease, and often guess or crack weak passwords. Two-factor authentication has helped mitigate these threats, but many attackers are learning to bypass those controls as well.
It certainly seems that not much has changed in the last hundred years when it comes to the password. As a result, forward-thinking security leaders have decided to take the password out of the equation altogether.
Passwordless strategies are a collection of security controls that – as you might guess – validate an identity without requiring the customer or employee to type in a password. Teams have taken different approaches to going passwordless, with the most effective forms adopting risk-based adaptive authentication methodology. Adaptive authentication employs contextual and risk-based analysis to evaluate users and can prevent attackers from bypassing two-factor authentication or using stolen credentials.
Identity is now tied to highly effective factors – unlike a password, which can be used by virtually anyone who knows (or has stolen) it. A typical approach would allow seamless access for some users while asking others to complete a second method of authentication. The decision may be based on multiple elements such as:
· Attributes such as a device fingerprint, IP address or geo-location
· Strong second-factor devices including Smart Cards and USB authenticators
· Biometrics such as a fingerprint or facial recognition
· Behavior analytics that study a user’s behavior over time
Adaptive authentication doesn’t exist in a vacuum; the evaluation workflows can be programmed to match security policies and changing risk factors. By acting as a form of attribute-based access control (ABAC), adaptive authentication removes the headaches of password management as well as its inherent security weaknesses. This holds true even when teams implement standards like FIDO2 (fast identity online) and Web Authentication, which leverage devices to easily authenticate users.
Passwordless In Action
Here’s how a passwordless approach can bolster security, increase customer satisfaction and improve workforce productivity. In a typical user name and password approach, a customer logs into their online banking account and realizes they have forgotten their password. They follow the steps for requesting a temporary password, receive the email to log in and create a new one, and go on to complete their transaction. To ensure they don’t forget the new password, they carefully write it down in several places – making it easy for someone else to use the password and user name to access and drain their savings account.
With passwordless authentication, the online application verifies the customer’s identity through their device fingerprint and other risk factors. If any of the factors seem “off,” the customer receives a notification on their phone to confirm the transaction – and it’s authorized or rejected according to their feedback.
This contextual request for additional validation can be applied to workforce users as well. Employees can be quickly evaluated through their IP address, geo-location, and device fingerprint to determine if their request for access fits the right historical parameters. If an employee works from home one day, and their IP address no longer matches their recorded data, they receive a signal on their personal cell phone requesting confirmation. Once they respond that their session is legitimate, machine learning based analysis factors their home IP address into their behavior – and the employee can work from home without that additional step in the future.
Let’s say, however, the employee needs to make a high-value transaction that day, such as transferring a large sum of money from one company account to another. In that case, adaptive authentication can require a higher hurdle to clear before they can complete that critical transaction. This is another way that your risk-based policies can be applied to ensure the right customers and employees are initiating the request.
Evolving Beyond Passwords
Passwordless authentication may sound scary to the uninitiated, but the move towards device and biometric based technology, combined with adaptive risk checks, offer a stronger level of security partnered with a superior user experience. With today’s flexible identity platforms, IT leaders can secure all identities across cloud, hybrid and on premises. There’s no better time to evolve towards new advances in identity security.
This article originally appeared on SC Magazine on July 8th 2019