A passwordless society – stronger, better and simpler

Increasingly, there has been a lot of hype around passwordless authentication, and for good reason.

Organisations still face password problems. The amount of time IT departments spend managing and administrating users’ login credentials is increasing. Moreover, passwords pose the single-most opportunity for unscrupulous access to corporate data. Passwords are just not secure. Recent surveys show that 85% of attacks stem from lost or stolen passwords. Added to this, IT departments have to balance user convenience with security to ensure compliance.

The pandemic introduced a major shift to remote working, with organisations rushing to meet the new challenges and accelerated moves to the cloud. Many are looking for ways to enable their workforce for permanent remote working by providing a secure means to log in to their workstations: ways that are not only frictionless but also which boost productivity.

Passwordless authentication is the answer in this year of identity management, to ensure access to data is from users who are who they purport to be.

A solution that provides multifactor authentication (MFA) to workstation logins leveraging the FIDO2 standard as a robust authenticator meets the high assurance levels required for proving compliance, without impacting user convenience. 

The 3 compelling reasons why you should start considering a passwordless solution for your workforce today:

Stronger: More than “something you know”

FIDO2 security keys are better phishing resistant and prevent Man-in-the Middle (MitM) attacks. Windows login with FIDO2 security key as a strong form factor adds multiple layers of security like FIDO2 security key PIN, which is used to unlock the key itself and user presence by tapping the key to make sure it is a human using the key and not a malware acting on behalf of the user.  Other authentication methods are equally plausible.

Better: Designed for seamless experience “anytime anywhere”

Once you are enrolled for FIDO2 passwordless authentication, users can authenticate whether they are online or offline.

Simpler: Path to P@$$w0rdless does not need be complex

The transition from password-laden infrastructure to a passwordless one is a journey and not an overnight switch:

  • It is imperative to phase in passwordless authentication in stages, perhaps by department to allow the organisation to adjust.
  • Make certain to configure other multifactor authentication methods that provide secure authentication mechanisms as fallback options
  • In addition to supporting FIDO2 in offline mode, options for the user to either use alternatives or replace with a new key in case of stolen/lost keys.

In today’s world, organisations are being challenged to transform and rapidly evolve in response to increased demand from both their customers and employees. This necessitates having to embrace newer and more agile digital capabilities which themselves carry an additional set of risks.

One of the most consequential risks is related to digital identity due to an expanding attack surface, complex application environments, cloud adoption and growing dynamic user populations. Passwordless authentication helps you manage digital identity risk by protecting critical data and applications from unauthorised access, while providing a convenient user experience for the modern workforce.

As the workforce evolves, with modern authentication methods users can authenticate seamlessly.

Identity is your weakest link – As organisations turn on a growing number of on-premises, cloud and mobile applications, their attack surfaces increase, as does the probability that a single compromised identity can lead to a catastrophic data breach.

With most attacks relying on compromised identities somewhere in the chain, identity has become the most consequential threat vector that organisations are facing today. Now more than ever, organisations need a high level of assurance that users are who they say they are.

But to be effective, and to ensure their businesses stay agile, they also need a secure access solution that won’t slow users down, but instead provide them with a common and convenient experience to any application, from any device.

Most midsize to large organisations have hundreds of applications deployed and in use. It’s not just the number that poses a challenge, but the fact that they have a mix of on-premises, cloud and mobile apps—all of which need protected access.

While employees will always be a main concern, organisations have a growing need to provide third-party access. Contractors, partners and customers all need access, for a variety of reasons and scenarios—all with different preferences and requirements. Users need easy and convenient access, while you need the confidence of knowing they are who they say they are.

With a large number of applications to support, and an increasing variety of ways to verify users and measure access risk, organisations need an easy way to pull it all together—a simple way to define their authentication requirements. You’re not going to eliminate passwords overnight, and you may have some systems and applications – both legacy and SaaS – that will continue to require passwords for a time, if only for a small subset of users. Ultimately, though, ending costly large-scale password management, reducing the risk of a credentials-based breach, improving the user experience and other benefits make moving to a passwordless future well worth the initial effort.

Bharat Panchal
close
The Business Bulletin

Don't miss out...

Enter your email address to ensure you receive the next edition of The Business Bulletin as it is published.

Bharat Panchal

After 30 years working in IT, Bharat decided to focus on helping businesses by offering the RSA SecurID® Suite which uses identity insights, threat intelligence and business context to provide secure access to all their users, across all their applications. Still traditional IT resellers, offering services and support in all IT matters however, what he actually does is deliver peace of mind to end-users and to management. With Bharat's help firms don’t need to worry about contravening strict rules on data access and GDPR regulations or about loss of data due to malicious attacks or plain forgetfulness.