Passwords were a great invention in 1961, but when cybercrime surged in 2021, the world discovered that passwords were the main cause of cyberattacks. These days, hackers no longer need to “break in” to your account or corporate network. They simply log in with your weakest password.
Why do we still rely on a 60-year-old solution when we can use passwordless technology? Password management is a nightmare, and a passwordless environment is more secure, saves money, and improves the end-user experience.
Many fear a shift to passwordless will cause disruption in their lives or organizations, but this couldn’t be further from the truth. When we take a critical look and begin to understand what it really means to go passwordless and internalize the steps needed to ditch passwords, the transformation becomes less intimidating.
In the article below, we aim to explain what passwordless authentication really means and then detail how it can help keep your business and identities more secure, all while improving end-user experience.
What is Passwordless Authentication
Passwordless Authentication is the experience one has when securely accessing digital resources without the use of a password. Passwordless Authentication improves security by replacing weak passwords with biometrics, single sign-on, and multifactor authentication, enhancing identity verification.
How does Passwordless Authentication work?
Windows Hello for Business is the biometric component of a passwordless solution on a Windows device (laptop or desktop). Depending on the device specification, Windows Hello uses fingerprints or facial recognition to log in.
Pro tip: When purchasing new devices, choose devices with the TPM 2.0 encryption chip and an infrared camera.
Single Sign-On (SSO)
The goal of Single Sign-On (SSO) is to eliminate as many login events as possible. This is because, each time an end-user types their credentials, they create a possible point of failure and risk being compromised.
Once a user has authenticated to the Windows OS, the next step is to authenticate to required applications, services, and storage locations. Rather than being prompted for unique passwords for each application, Single Sign-On automatically authenticates the user to trusted applications and resources.
Multi-factor authentication (MFA) is the verification step to ensure the person logging in is the person who they claim to be. MFA is proven to prevent 99% of all account compromise attacks. MFA should be used everywhere, all the time.
There are three components to the MFA philosophy: 1. Something you know – for instance, a pin code or username 2. Something you are – biometrics like facial recognition or a fingerprint 3. Something you have – A device with an authenticator app, a certificate or token.
Authenticator App or FIDO2 Key
Most end-users quickly tire of receiving verification text messages with 6-digit codes. A more elegant solution is the Authenticator app which simply presents an option to Accept or Decline an access request.
In the event an end-user does not have a smartphone or is not willing to use a smartphone as a second factor, FIDO2 keys are available to enable the end-user to log-in securely and quickly.
Conditional Access Policies
Conditional Access Policies are the brain and decision engine for a passwordless authentication solution. Conditional Access Policies allow admins to define a set of rules that enforce Multi-Factor Authentication, with the assumption that anyone attempting to access your environment must have multifactor authentication (MFA) enabled.
Pro tip: Be deliberate in designing how you want to implement these Conditional Access policies to achieve the right balance between security and employee experience.
Is Passwordless Authentication Safe?
Passwordless authentication is more secure than attempting to safeguard resources with passwords. The 5 building blocks protect your digital identity from bad actors and cyber-criminals. They include Biometric Sign-In, Single Sign-On (SSO), Multi-Factor Authentication, Authenticator App or FIDO2 Key, and conditional access policies.
Consider this, 80% of cyber breaches can be traced back to passwords. A major cause can be linked to the fact that many people are using incredibly weak passwords (The National Cyber Security Centre in the UK found that 15% of the British population used pets’ names, 14% use a family member’s name, and 13% use a notable date).
To make matters worse, the 2022 Endpoint Ecosystem research study found that 31% of people write their work passwords in personal notebooks, 24% on their personal phones, and 21% in documents and spreadsheets. Making their passwords very accessible to those who may have malicious intent. The fact of the matter is passwords have become antiquated, and the management of passwords is cumbersome. Using passwordless authentication is a vastly more safe and secure method of authentication.
Why go passwordless now?
The impact of a breach caused by compromised credentials cost businesses an average of $4.37 million dollars in 2021. These days, hackers are simply logging into environments by exploiting the weakest passwords available in an organization. With a quick look at someone’s social media profile, a savvy cybercriminal can easily garner information on someone’s birthday, family member names, or even the name of their pet. Combine a couple of these, and they are likely able to figure out a password.
92% of businesses believe that going passwordless is the future of security in their company. Staying ahead of the curve is paramount. Cybercriminals will likely move on if a company has implemented best-practice security precautions that are more sophisticated than their hacking techniques – and passwordless authentication is a surefire way to keep them out now.
Denis founded Mobile Mentor in 2004 with a clear purpose – to empower people to achieve more with their technology. The technology is always changing but Denis’ purpose is the same and today most of Denis’s energy is helping clients to navigate the balance between security and employee experience.
Denis is really passionate about solutions that make an impact in healthcare, education and government. Since 2017, Denis has lived in the US, working with both public and private healthcare providers.