Passwords remain a cybersecurity risk. A more secure alternative is passwordless authentication using biometric data or tokens.
Almost every online service requires access data consisting of a user name and password. As a result, a long list of combinations accumulates in a very short time - an average person comes up with around 100 different passwords, as a current study shows. In order not to lose track here, many use one and the same password for several accounts. This is particularly fatal when the password is a standard, easy-to-guess password.
Password management as a critical vulnerability for companies
For companies in particular, poor password management by their employees is one of the biggest risk factors for data security, as Mimecast's current "State of Email Security" report once again confirms. This includes the frequent use of standard passwords, the use of the same password for multiple applications or simply storing passwords physically in a place that is also accessible to others - think here of the post-it at the edge of the screen where the access data is written are noted for the PC. An increasingly popular alternative is therefore passwordless authentication methods. The identity of the user is not checked using fixed access data, but using other methods.
Authentication by biometrics, token or push notifications
The use of devices with cameras and touch screens allows identification based on biometrics, by scanning the user's fingerprint or face, or by voice matching. However, given the increasing prevalence of deep fakes, concerns about the security of this method are currently growing. Even though these can fool a human user, there is no evidence that the fakes can overcome biometric protection mechanisms.
Another method is multi-factor authentication (MFA) via authentication token, which generates a one-time code, or an authenticator app connected to a previously verified device or email account. Of course, this method is only passwordless if none of the factors are password-based. Similarly, sign-up works via a push notification, which is sent to an email account or to a previously verified device and prompts the user to authorize a sign-up instead of entering a one-time code.
The technology and the budget have to play their part
However, a comprehensive application of such passwordless authentication methods is still a long way off. A recent survey by Mimecast partner Okta found that just under one in five users of the platform has integrated an application program interface (API) for passwordless authentication, but that's still an improvement from 11% two years ago. Companies often struggle with the hurdles that need to be overcome when introducing such a system.
Implementation challenges
There are many stumbling blocks when implementing a passwordless authentication method. Management may worry that using MFA-based methods will negatively impact the employee experience and slow down or hinder day-to-day operations. Another challenge is the technical component. The various systems used often do not work using a common authentication method. For example, cloud platforms often have their own competing security and identity verification systems that do not easily sync with the company's internal servers.
Last but not least, the use of resources during a system change also plays a decisive role - after all, changes cost time and money. Organizations need to overhaul their legacy infrastructure and access policies, users need to be (re)verified and their authentication factors set up.
Step by step to the passwordless solution
To avoid the stress of a wholesale move to passwordless access, organizations should take this one step at a time. First, companies should evaluate the risk status of their data. This allows them to prioritize systems for the transition and initially retain password-based access for less sensitive resources.
Enforcing new access policies is also easier when the context of user activity is considered when deciding whether to strengthen identity controls. If an employee suddenly logs in from an unknown server or location, an automated identity and access management (IAM) system can trigger an additional verification check. Passwordless authentication is also easier to enforce if the organization already has a zero-trust approach across the network.
More at Mimecast.com