Passwordless Authentication: The Future of Security and Usability in Digital Transformation.
As enterprises strive to achieve transformative business objectives, stay competitive, and meet user expectations, they are increasingly adopting digital transformation or modernisation. This shift involves migrating from legacy systems to the cloud, creating hybrid environments where consumer markets demand usable, mobile technology and always-on, always-available cloud-based applications. This transition includes customers and various enterprise users, including employees, contractors, vendors, and partners. Ensuring secure access for these users is paramount in this decentralised, identity-centric operational model. The future of authentication requires secure and usable methods to authorise users on both cloud and on-premises systems, leading to a shift toward passwordless authentication.
The Evolution of Authentication: From Passwords to Passwordless.
The concept of the password originated in the mid-1960s at the Massachusetts Institute of Technology (MIT) with the development of the Compatible Time-Sharing System (CTSS). Initially designed as an accounting tool, passwords evolved into a means of authentication. However, as the need for better security grew, multi-factor authentication (MFA) emerged, providing an additional layer of security. Despite these advancements, the inherent weaknesses of passwords have become increasingly apparent. In 2019, the largest known collection of breaches revealed 2.2 billion usernames and passwords, highlighting the vulnerabilities of password-based authentication.
Advances in secondary factors, such as the proliferation of smartphones and the consumerization of biometrics, have led to the realization that passwords are often the most vulnerable factor in authentication. This has spurred the industry to move towards replacing passwords with more secure, simplified methods.
The Problem with Passwords.
Security Risks: Passwords are prone to a multitude of security threats, including credential stuffing, phishing, and brute-force attacks. Due to password fatigue, users often choose weak passwords or reuse them across multiple accounts, making them easy targets for adversaries. A 2018 study by Virginia Tech found that 52% of users reuse passwords, contributing to the fact that over 80% of breaches involving web applications are due to stolen credentials.
User Frustration: Passwords cause significant user friction and frustration. A survey by the International Data Group (IDG) found that 62% of IT security leaders reported extreme user frustration at password lockouts, which hinder productivity and create poor login experiences. The sheer number of cloud services and passwords required has exacerbated this issue, with the average business user managing up to 190 passwords.
Cost and Burden: Managing passwords is costly and burdensome for enterprises. According to Forrester, many large U.S. organisations allocate over $1 million annually for password-related support. Password resets and related issues can lead to significant support costs and lost productivity, with one global enterprise tech company reporting $500,000 in annual costs due to expired passwords.
What is Passwordless Authentication?
Passwordless authentication establishes a strong assurance of a user’s identity without relying on passwords, utilizing biometrics, security keys, or mobile devices. This approach provides a frictionless login experience for users, reduces administrative burdens, and enhances overall security by eliminating the vulnerabilities associated with passwords.
Business Benefits of Passwordless Authentication.
Enhanced User Experience: Eliminating passwords reduces login fatigue and frustration, leading to increased productivity. Improved user experience is a significant driver for the adoption of passwordless authentication.
Reduced IT Time and Costs: Passwordless authentication reduces the burden of password-related help desk tickets and resets, freeing up IT resources and reducing costs.
Stronger Security Posture: By eliminating passwords, enterprises can mitigate related security threats, such as phishing, stolen or weak passwords, password reuse, and brute-force attacks.
Passwordless Enables Zero Trust:
Passwordless authentication is a key component in enabling zero-trust security, which emphasizes securing the workforce by ensuring trusted users and devices access applications and data. This approach aligns with the principles of zero-trust architecture outlined by the National Cyber Security Centre (NCSC), which advocates for creating a single strong user identity and verifying every connection to a service. Combining passwordless authentication with adaptive policies enhances security and improves user experience, crucial steps in establishing a zero-trust architecture.
Path to Passwordless.
To achieve a fully passwordless future, enterprises should take a phased approach:
- Identify Passwordless Use Cases: Select specific use cases where passwordless authentication can be implemented. Rank these use cases by user experience, IT time and costs, and security and compliance risks. Create implementation plans for areas with the biggest impact.
- Streamline and Consolidate Authentication Workflows: Minimise passwords for cloud and on-premises applications by using Single Sign-On (SSO) and integrating authentication workflows with access and authentication proxies. Change password policies to reduce reliance on password complexity.
- Increase Trust in Authentication: Address security concerns by implementing adaptive access policies based on the context of the user’s authentication, such as device trust, location, behaviour, and security posture. This ensures that authentication remains secure and trusted.
- Provide a Passwordless Experience: Move beyond MFA, which combines a password with additional authentication factors, to true passwordless authentication. This involves using two or more factors without passwords, such as a biometric authenticator and a trusted device. Implement technologies that are open standard enabling strong public key cryptography, to remove passwords as the primary authentication factor. Choose the right passwordless authenticators based on your environment, whether it’s hardware with built-in biometrics, security keys or mobile applications.
- Optimise the Passwordless Toolset: Achieve passwordless authentication for all use cases, including legacy tools using older protocols along with cloud-based applications. This iterative approach involves continuously selecting, streamlining, and securing authentication methods. Integrate the technology comprehensively to eventually eliminate the need for passwords entirely. This process requires ongoing improvement and adaptation to ensure all login workflows are secure and seamless.
The future of authentication lies in moving beyond passwords to more secure, user-friendly methods. Passwordless authentication not only enhances security but also improves user experience and reduces IT costs. By adopting a phased approach and addressing the challenges of complex IT environments and compliance regulations, enterprises can successfully transition to a passwordless future, achieving their digital transformation goals while ensuring secure access for all users.
Contact Unifi Comms today to learn more about our managed IT security services.