Go PASSWORDLESS for secure business operations.
The concept of a password is nothing new. It has been around for centuries. Way before the modern computer system prompted us for passwords; Indians were using passphrases as passwords to deliver secret military messages. The existence of passwords can be tracked back in fictional stories like Alibaba and 40 thieves, where a magical cave could only be open by a secret phrase “Open sim sim “. Exciting isn’t it? However, Fernando Corbató introduced the modern computer password to computer science in the 1960s.
In Corbató’s era, the use of passwords was limited to only a handful of people. As the need for the internet exploded in the ’90s, more and more people began using the internet, and this led to a surge in the number of hackers, crackers and attackers. There was a paradigm shift from paper-based information to digital documents, creating reams of sensitive data and information. As the requirement for protecting this sensitive information from unauthorized users emerged, so did the need for strong passwords and technology for protecting passwords.
For a long time, passwords were considered a reliable way to protect assets and information. Multi-factor Authentication was introduced with an increase in passwords related attacks. “ ’Something you know, ‘Something you have’, ‘Something you are’ ” the three factors of authentication that took the authentication process to the next level; adding complexity and security to secure information and assets.
Passwords are one of the three factors “Something you know”.
Authentication mechanism has come a long way, but criminals are never far behind. Passwords are still the norm, but perhaps not for long. Why? Even strong passwords aren’t strong enough—especially as mobile, the IoT, social media and other technologies expand attack surfaces.
Security Challenges with passwords
There are some intrinsic problems with passwords. If a password is short, it is easy to crack and if it is long then it difficult to remember. Secondly, there are many different locations where passwords are used, social media, work PC, email etc. It is difficult to remember all of them and by the end of the day, you tend to use the same password everywhere.
In some cases, people use the same password for their email and online banking. Shockingly, Verizon DBIR (Data Breach Investigation Report) 2019 81% of data breaches are caused by compromised, weak, and reused passwords.
Poorly chosen and repeatedly used passwords are easy to guess, either through computational techniques (such as the “dictionary attack,” which might test all known words and word combinations in a particular language) or so-called social engineering (that is, tricking someone into disclosing a password).
Security teams came up with password policies like length, use of special character, a combination of alphabets and numbers. These policies serve no purpose if someone writes a complex password on a sticky note and paste it on their monitor or desk.
Some tools like KEY PASS help us to solve some of the above-mentioned issues. Nevertheless, if your password to protect KEY PASS is compromised, then you risk losing all the passwords in a single event.
Rest In Peace …… PASSWORDS!!
When someone uses a password, the password represents that person within a virtual or nonphysical system, regardless of whether the person is physically present or absent. Anyone else who knows the password of a person can personify as that person. Given the weak security of using passwords, both security professionals and knowledgeable users have been calling for the abandonment of password security altogether.
Do we have a choice? Most people will ask this question. With current technology, the answer is ‘YES’
“NO PASSWORD AUTHENTICATION”
An authentication method that does not require a user to enter a password is called password-less authentication. Now, your question should be, “if there is no password, how are we going to identify users?”
Users can be identified by something they possess, something that identifies them uniquely. For example, a registered mobile device, OTP generator, hardware token etc. or user’s biometrics like fingerprint, face reading etc.
How passwordless authentication works?
Passwordless authentication can work through a variety of different authentication and encryption protocols. However, the core design of all passwordless solutions is that authentication credential is never fixed within the system. A new authentication credential is generated with each session.
Let us say the user ‘Mary’ needs to log in to a web service hosted in the corporate server Web SRV. She is prompted for initial identification, a username or company employee ID. Web SRV will reach AD to identify if the username is valid. Once identified, Web SRV will reach a passwordless authentication server (let us say AUTHSRV) to generate a password. The generated password is sent to Mary’s registered device (mobile app) through a push server ( PUSH SRV) and the user accepts this notification on the app. AUTHSRV will contact AD to provide access to the user.
This is the simplest form of passwordless authentication. However, in reality, the process is not that simple.
At this moment, there are few passwordless authentication mechanisms available. Some of them are as follow:
- Software tokens
- Hardware tokens
- SMS code delivery
- Biometric scanners.
Benefits of passwordless authentication
User experience: Passwordless authentication provides an unmatchable user experience as users do not have to remember passwords.
Security: Administrators can enforce a complex password policy
Cost-effective: Password creates a significant amount of work for IT helpdesks and reduces productivity for people waiting for assistance. Self-service for password management also requires additional infrastructure. Going password-less eliminates such costs.
A shift of control: Going password-less will give the IT department full control over the authentication process. Ultimately, IT will be able to have better visibility over IAM. Your organisation will experience a substantial reduction in phishing attacks.
Currently, multiple vendors provide password-less authentication. Gartner has published its magic quadrant for access management tools for 2019.
Rabbon’s recommendation is to develop a password-less strategy and find a solution that suits your requirements. Microsoft has developed a 4-step password-less strategy, which in my opinion is a good first step towards going password-less.
Visit the following link for details Password-less Strategy-Microsoft
Although it is not always possible to eliminate passwords from legacy implementations, however, it is recommended that organizations prioritize assessing and implementing more robust passwordless authentication methods. In doing so, organizations will improve security and user experience.
Cybersecurity is what we do
Rabbon is a Cybersecurity company. We lead a team of Cybersecurity experts and GRC Consultants, who help organisations become cyber resilient by providing access to effective and affordable cybersecurity services. We believe that “Cybersecurity is for everyone“
You can contact our Cyber Security Consultants for an obligation free consultation.
Phone : +61 2 80513207
Email: [email protected]