Security considerations for passwordless authentication

Image from Pixabay

With Apple, Microsoft and Google introducing passwordless authentication solutions, the end of the password is near for consumers. However, the enterprise world hasn’t followed suit despite credentials being responsible for nearly 50% of cyberattacks.

Many initial passwordless offerings focused on the user experience, but now can enhance security as well. From biometrics to link-based access, there are many network access strategies security leaders can use to protect their network from threats.

Types of passwordless authentication

It’s important to note that “passwordless” is just authentication via other methods and usually involves single sign-on (SSO). This concept can be taken to many levels. Network access can manifest in strategies involving SSO, or it can go completely passwordless through the use of:

Biometrics: Physical traits, such as fingerprint or retina scans, and behavioral traits, such as typing and touch screen dynamics, are used to uniquely identify a person. Even though modern artificial intelligence (AI) has enabled hackers to spoof certain physical traits, behavioral characteristics still remain extremely hard to fake.
Possession factors: This form of authentication is something that a user owns or carries with them. Examples include the code generated by a smartphone authenticator app, one-time passwords (OTPs) received via SMS, or a hardware token.
Magic links: The user enters their email address, and the system sends them an email with a link that grants access to the user.

Once authenticated, SSO is used for everything else, leading to more intelligent and ongoing authentication.

It’s how the technology is layered to produce the user experience and strengthen security that matters. For instance, users can initially authenticate to a laptop using any number of systems to include a username/password, which can then unlock a certificate to provide a passwordless experience to everything else.

Passwordless authentication creates a significant setback for bad actors

Passwordless authentication is harder to crack than traditional passwords, and it’s less prone to most cyberattacks. But, it's not impervious to hacking. The most sophisticated attackers will always find a way.

However, the tech continues to evolve into stronger and stronger authentication. Not only is the authenticator accepting (or rejecting) credentials, it’s evaluating them based on policies. Is the user in the same location they were the last time they authenticated? Are they accessing the same systems? Are they attempting to use an application they’ve not used previously?

Implementing passwordless authentication in your organization

When an organization deems itself a fit for passwordless authentication, security leaders should start the implementation by using a phased approach and identifying the organization’s “front door,” the main barrier keeping hackers out. If the workstation is the front door, then make sure there is some sort of strong authentication there. That doesn’t have to be a password, so it’s important to consider the following:

Pick the authentication mode: The first step is choosing the authentication factor. Some passwordless technologies range from fingerprints and retina scans to magic links and hardware tokens.
How many factors? Use of multiple authentication factors with or without passwordless as reliance on one factor, regardless of how safe it may seem, is not recommended.
Buy required hardware/software: Organizations may have to buy equipment to implement biometric-based passwordless authentication. For other modes, like magic links or mobile OTPs, they may only have to procure software.
Provision users: Once the organization has selected the authentication factor, it’s time to start registering people on the authentication system. This is an imperative step to ensuring only the right individuals have access within a network.

Strong authentication is essential to protect organizational data, people and property. With breaches nearly continuous in the news and most of them targeting authentication, organizations will be forced to look into better ways to authenticate. Since password breaches are common, it makes sense to go passwordless.

Looking forward from here, the industry may be moving to a completely passwordless authentication experience in the future, as long as confidence builds in the authentication mechanisms. That’s the key. Just like it was 10 years ago with cloud offerings, it's going to take time and a proven track record.

Dan Conrad is the AD Security and Management Team Lead at One Identity.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.