Is Your Passwordless Solution Truly Password-LESS?
Written by: Gurpreet Manes
When asked what’s most important in identity security right now, saying goodbye to the password ranks at the top of my list. The good news is I’m not alone. Organizations around the globe are waking up to the password challenge and beginning to embrace a passwordless model. Gartner reports that passwordless authentication is achieving market traction and is the fourth top security/risk trend for 2020.
All great news yet, as with all transitions there are challenges. In the case of passwordless security, everyone’s definition of passwordless is different. What one organization considers to be passwordless isn’t completely passwordless to another. Plus I’ve noted that many companies aren’t implementing solutions across their entire organization, leaving parts of the infrastructure vulnerable and subject to poor user experience.
So what does an IT administrator do? How do you navigate the journey to passwordless authentication without risking the security of your data, assets, and stakeholders? These questions are particularly relevant today as we witness a surge in the remote workforce. Through this blog, I hope to answer your questions and make the transition a little easier.
Why say goodbye to the password?
The answer to this question shouldn’t be a surprise. Passwords are just too easy to guess, hack or intercept, making them the weakest link in enterprise security. Complex set-up policies lead to frustrating user experiences. And if passwords aren’t equipped to handle regular workforce demands, they certainly aren’t capable of weathering the additional risks and complexities posed by remote, global workforces. The strain on your IT team can also take its toll.
Passwordless is real, but is your solution really password-less?
We’re getting more phone calls from customers asking for guidance because the path to passwordless isn’t always clear. There are a lot of bold claims about solutions being “passwordless,” often without specifics about what that means. Plus, there are two schools of thought on the subject causing even more confusion.
The first school of thought defines passwordless authentication in terms of user experience. In other words, the experience is passwordless if the end-user doesn’t have to physically enter a password when he or she logs into a system or an application. It can be achieved with various methods such as password vaults or PKI or FIDO2 authentication.
There are two major problems with this approach:
-
Not all methods are equal in terms of security because the focus is on the user.
-
In a lot of cases, passwords are still there — lurking somewhere in the background.
The second school of thought is to remove passwords at the application level and enable strong authentication. This approach is working well in many environments. The best-known example is X509/PKI in a Microsoft environment. Employees can do a PKI-login to Windows 7 or Windows 10 without using a password.
Another example is the PIV standard, an extension of PKI widely adopted across the enterprise ecosystem, from VPNs to Multi-Function Printers. Some question if PIV qualifies because it requires 2-factor authentication, including a PIN. This said I personally consider it passwordless from an application login standpoint. Plus, it provides a significant security improvement since the PIN remains local to the login device and is not transmitted over a network. This approach has been around for years and is widely used by the US DoD and other high-security organizations.
FIDO2 is also very promising but still lacks interoperability with a lot of the enterprise access and identity ecosystems today.
The good news is that the two schools of thought are converging. In fact, organizations worldwide are already embracing the benefits through the use of smartphones and credentials/tokens:
-
Most smartphones now require passwordless authentication methods such as fingerprint or face recognition.
-
Governments and large enterprises are requiring employees to use smart cards or YubiKey tokens to authenticate
I should also note that FIDO2 is passwordless at both the application and user level. It removes application passwords and allows users to login via biometrics. The result — improved security and a better user experience.
Getting on the Right Track
While there is no magic bullet to going passwordless, consider these five tips for getting on the right track:
-
Start with PKI authentication using YubiKey, a physical badge or Mobile PKI on the phone
-
Combine PKI with an Access Management solution such as Azure AD or Ping Identity to achieve Single Sign-On (SSO) to Cloud applications
-
If you want to achieve a great user experience, complement it with an enterprise SSO for the legacy apps that can’t get away with not using passwords
-
Implement passwordless authentication across your entire organization
-
Most importantly, select a partner with the knowledge and expertise but also a vision to help you make the transition to passwordless. One with an agile platform that supports PKI, OTP and FIDO authentication, and will be able to adapt to new innovations.
Passwordless authentication is here and achievable. To ensure you get the desired benefits without interruption to your business we are here to partner with you every step of the journey. We’ll be sharing more about our Axiad Partnership Pledge in the weeks ahead.
For more information about Axiad’s passwordless authentication, visit here https://www.axiad.com/axiad-cloud.
About the Author
Gurpreet Manes, Vice President of Technology, leads Axiad’s technology roadmap with more than 17 years of experience in cutting-edge network security and identity management technologies and methods. Gurpreet’s industry contributions include the development of innovative cybersecurity and identity and access management solutions for people, devices, and the internet of things.