Xavier Coemelck at Entrust Datacard describes his vision of a "touchless" future that no longer needs passwords.
Security experts have been talking about ditching passwords for years. As early as 2004, Bill Gates told the RSA Security Conference that passwords “just don’t meet the challenge for anything you really want to secure.”
Change has been slow, but the sudden increase in remote working and the need for offices to become touchless is increasing traction. Here we look at the future of passwordless authentication - using the example of trusted digital identities - and share tips on choosing a solution that fits your needs.
The move away from passwords was beginning to gain momentum pre-pandemic. Gartner reported an increase in clients asking for information on ‘passwordless’ solutions in 2019. Now Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will put in place passwordless methods by 2022. This is up from 5% in 2018.
The many limitations of passwords are well-documented, but the cost of data breaches may be the reason behind this sharp upswing. Stolen credentials – usually passwords – and phishing are the top two causes of data breaches according to the 2019 Verizon Data Breach Incident Report. Various studies indicate that each breach costs businesses an average of anywhere between £4M to £8M.
As in so many other areas, the pandemic has been a catalyst for change. Newly remote workers using BYOD devices and home networks, sharing devices with other family members, and writing down passwords at home all make breaches more likely. And seasoned home workers represent a risk too. COVID-related phishing attacks have increased 600% in the first quarter of this year.
It also means that enterprises are developing new procedures to mitigate the spread of disease. This includes a thorough examination of any activity that requires workers to touch surfaces. Entering passwords on shared keyboards or touchscreens falls squarely in this area of risk. As does handling cards or key fobs.
Enterprises are expanding their searches from “passwordless” to “passwordless and touchless,” looking to replace physical authenticators. In the quest to go touchless these are items that can be easily eliminated.
The future of passwordless authentication
Biometrics are common alternatives to passwords. But, using fingerprint or facial recognition often only provides a new front-end way to activate passwords. Passwords are still required for authentication after the biometric scan and these live in a central repository vulnerable to hackers. With one successful hack of the central repository, cyber-criminals can swipe thousands of details.
In other words, biometrics on their own are not an improvement in security, only a better user experience. They need to be combined with a different approach that adds another layer of security.
A more secure option is to move away from the centralised credential repository to a decentralised model, for example, one based on trusted digital identities. This is where digital certificates are stored on users’ phones. Think of encrypted digital certificates as virtual passports or ID cards that live on a worker’s device. Because they are stored on many separate phones, you are able to build a highly secure decentralized credential infrastructure.
A solution that uses people’s phones is also compatible with touchless authentication systems. You can replace smart cards and key fobs with a phone-based security model and reduce the number of surfaces and items that people touch.
This is especially beneficial for workplaces where people have to visit different sites, and in healthcare. Replacing smartcards with a phone in a pocket reduces the number of items that clinicians need to take out and use a smartcard between and in different areas, which may have different contamination levels or disease control procedures.
How do trusted digital identities work?
Here’s an example installation. You install a unique digital certificate on each user’s mobile device — this is their personal virtual ID card. Authorised users register themselves on their phones using automated onboarding tools. Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition. Once they are authenticated, their device connects to their work computer via Bluetooth and automatically gives them access to the network and their applications with single sign on (SSO). This continues while their phone is in Bluetooth range of their workstation, a distance set by IT. When they leave their desk with their phone, they go out of range and they are automatically logged out of everything.
Five tips on choosing a passwordless solution
More automation means less disruption
Consider how you can predict and eliminate unnecessary changeover disruptions. The task of onboarding large or widely dispersed employee populations can be a serious roadblock for many enterprises. Look for a solution that automates this process as much as possible.
Scalability and your digital roadmap
Will you maintain remote working? Having a high proportion of your team working remotely means that passwordless solutions will become more of a necessity. Are you expecting to grow or to add new cloud apps and broader connectivity with outside ecosystems? If so, you need password authentication that will scale easily.
Encryption needs and regulatory requirements
If your workers are accessing or sharing highly sensitive information or conducting high-value transactions, check that a solution meets all necessary regulatory requirements. The most secure passwordless platforms are from vendors whose solutions are approved for use by government authorities and are FIDO2-compliant.
Common hacker strategies like credential stuffing and exploitation of re-used credentials rely on stealing centralised repositories of password and log-in data. If you decentralise your credentials, then these strategies aren’t viable. Make sure that your passwordless solution goes beyond the front-end, or the initial user log-in and gets rid of your central password repository entirely.
Make it about productivity too
Look for a solution that offers single sign on to streamline login processes and simplify omnichannel workflows. For workers, this means less friction, for the enterprise, it means optimal productivity.
Security improvements, productivity gains and user goodwill all combine to form a compelling case for going passwordless. The additional consideration of mitigating disease transmission and bringing peace of mind to employees only strengthens the passwordless argument. The new end goal is to do more than simply replace the passwords with another authenticator. Ideally, enterprises should aspire to touchless workplace experiences that create a safer, more secure and productive workforce.
Xavier Coemelck is EMEA VP at Entrust Datacard.