Transitioning to passwordless

David Higgins at CyberArk explains how businesses can make the change to passwordless authentication

 

Passwords are the first barrier to preventing data breaches, but individuals often have bad habits when it comes to choosing or regularly changing their password. In fact, despite all the requirements to make passwords truly secure, research shows that 75% of people globally don’t respect widely accepted best practices, with 64% using a weak password or just changing it slightly when asked to pick a new one.

 

Overlooking the security implications of failing to choose a password that meets the standards is a real mistake and gives attackers incredible opportunities to infiltrate systems. Once they have their hands on valid password credentials, threat actors can easily elevate their privileges to an administrator or a superuser level, bypassing an organisation’s identity security.

 

Data breaches can severely impact a company’s reputation and lead to major financial damage, so companies must make it a priority to improve password hygiene and implement a robust identity security strategy. As such, some organisations have started to adopt multi-factor authentication (MFA) to reduce the risk of attackers stealing credentials and gaining unauthorised access.

 

With MFA, users can log into applications and access corporate networks and resources if they provide an additional form of verification, whether it’s a code they received in their inbox, or a code momentarily displayed on their phone.

 

However, companies adopting more secure approaches to log into applications means attackers have started to innovate to find creative ways to bypass MFA protections. And this includes stealing cookies, employing social engineering techniques or performing MFA fatigue-based attacks. So, while MFA remains more secure than traditional passwords, it’s important to remember that there’s always a way for attackers to undermine it.

 

Companies must redouble their efforts to improve identity security. New attacks are the opportunity to go one step further and find a new way to combat the rising threat of data breaches – and while counterintuitive, a passwordless approach might be the solution. But how companies can start to make that transition and adopt a fully passwordless environment?

 

Tailoring the passwordless approach

It’s important to keep in mind that, while passwordless technology brings significant benefits, going passwordless can’t be done overnight and some organisations might even never be able to adopt a complete passwordless approach. Removing passwords is a big commitment, particularly for businesses managing thousands of users, countless applications, hybrid and multi-cloud environments and complex login flows. There are just too many legacy systems deeply entrenched in IT infrastructure that require passwords. 

 

So, it’s about finding the best approach for each company and what works from both an identity security and a cost point of view. The journey to passwordless authentication is unique to the requirements of every company, and the needs of every user. There is no one-size-fits-all approach. And with technology constantly evolving and user adoption increasing, successfully achieving an entirely passwordless environment involves a phased approach.

 

Key strategies for adopting passwordless

While completely eliminating passwords may pose challenges for some businesses, they can still reduce their dependence on them by adopting appropriate identity and access management (IAM) solutions that facilitate passwordless functionalities. And when assessing IAM solutions, organisations should prioritise specific capabilities.

 

1 Zero sign-on (ZSO) uses robust cryptographic standards such as certificates and mixes user identities with contextual information such as device fingerprints and security posture. It is the first pillar of a true passwordless solution.

 

With ZSO, users can smoothly log in to their assigned applications and services once their devices have been checked and it’s confirmed they meet security posture requirements. Users don’t need any form of additional authentication. ZSO can be combined with other passwordless authentication factors best suited to the business requirements, enabling businesses to improve usability and increase identity security.

 

2 FIDO2 Web Authentication (WebAuthn) is widely supported by nearly every identity vendor and plays a pivotal role in enabling passwordless authentication for typical end users. Along with FIDO2, FIDO’s passkeys offer a new approach to achieving passwordless access across multiple devices, using users’ devices’ security capabilities to further enhance individuals’ experience. These passkeys are also highly resilient to phishing attempts, in other words, they can effectively mitigate attack vectors associated with MFA which necessitate human interaction.

 

3 Remote work: With remote work now a prevailing trend, ensuring secure access for employees accessing a corporate network through a VPN is essential. In particular, using adaptive MFA is recommended as this adds an extra layer of identity security to remote access, protecting the company’s corporate network and on-site apps and resources, while ensuring a seamless login experience that continuously evaluates and adjusts as needed with passwordless factors based on contextual and risk analytics.

 

Adaptive MFA as an approach is important and effective because it gives high-risk users or authorisation requests additional steps before access is granted and vice versa.

 

4 Self enrolling: To achieve a true passwordless experience, it’s critical to deploy a solution that empowers users to self-enrol, replace and delete passwordless authenticators under appropriate security protocols, along with a wide variety of alternative passwordless authentication methods to choose from. For example, in the event of an individual losing their mobile phone, they should be able to replace the passwordless authenticator factor from various factors with the appropriate security controls.

 

Moving away from MFA

Although businesses are increasingly adopting multi-factor authentication (MFA) to reduce the risk of threat actors stealing their passwords, MFA is less of a silver bullet than originally thought. It seems passwordless authentication is the ultimate solution to prevent unauthorised access to corporate networks – and not only does this approach help improve identity security and organisational resilience against cyber-threats, but it also enhances user experience.

 

However, no company can go passwordless from day one. Such an approach requires strategy, planning, discipline and employee awareness. This implies receiving sufficient support from leadership to make sure all employees are educated on the best practices for efficiently and securely implement passwordless authentication.

 

Additionally, collaboration with experienced and trusted vendors is key to a successful organisational adoption of passwordless approaches.

 

For companies to be able to anticipate and prevent the threats, they must make sure the IAM providers they work with have the expertise required to support their security needs. 

 

---

 

David Higgins is EMEA Technical Director at CyberArk

 

Main image courtesy of iStockPhoto.com and metamorworks