Operations & resources

Has there ever been a better time to ditch the password?

Raise your hand if you hate entering passwords….

Now keep your hand raised if you happen to use the same password for multiple accounts or services. Yes, lots of people do this, and it’s a leading cause for users getting hacked.

Think about it. If someone can gain your password for a single service — either through a data breach, social engineering, or phishing attack — your identity and personal information could be compromised. This can lead to anything from people spying on you covertly to hackers stealing money from your bank account.

But there are alternatives to manually entering passwords. Major vendors, like RSA SecurID, have banded together via the FIDO Alliance to replace passwords for good.

Password keys are unique digital keys that are easy to use, more secure, never stored on a web server and stay on your device and hackers can’t steal passkeys in a data breach or trick users into sharing them.

Passwords are key to protecting everything we do online today, from everything we communicate to all of our finances but they are also one of the biggest attack vectors and security vulnerabilities users face today.

Identity authentication uses Touch ID or Face ID for biometric verification, and with end-to-end encryption.

Authentication utilises a private key, which is a secret and stored on your device, and a public key that goes on a web server. Phishing is virtually impossible because you never present the private key; you merely authenticate using your device. 

Face ID and Touch ID verification give the convenience and biometrics as an example.

So, despite all the previous hype around killing the password for good, this time it could be happening for real. 

This isn’t a future dream to replace passwords, it is about completely replacing passwords, and it’s starting now.

Passwordless Authentication: The time is now, and help is here

Hard to remember and easy to breach passwords have always posed a security problem for organisations. But the problem has become much more critical now, with growing numbers of people accessing applications and data from far beyond traditional security perimeters. To successfully secure applications and data in the digital world, organisations need secure access that doesn’t rely on passwords. But how do you go from a passwords-for-everything approach to a passwordless future? By taking it one step at a time, on a path paved by these best practices:

Take a gradual approach that’s easy on users

Passwords may be a pain to deal with, but people have become comfortable with them over time. Moving away from passwords gradually will make it easier for users to transition successfully to a new way of authenticating. Begin by adopting modern authentication methods – biometrics, FIDO, OTP, etc. – in conjunction with, rather than in place of, passwords. It’s a less disruptive approach that helps ensure users stay productive as they adapt to the change.

Make authenticating both secure and convenient

The point of moving beyond passwords is improving your security posture, of course – but it’s important to do so without sacrificing convenience for users in the process. A key part of achieving this balance is implementing risk intelligence to determine how and when step-up authentication is needed. This can be a gradual process that moves from static policies to conditional access to dynamic, real-time risk-scoring.

Apply strong authentication at weak points

The risk of compromised credentials is highest at the weakest points in the credential lifecycle, including enrolment, password reset and emergency access. In the transition to passwordless authentication, make these the first points protected by biometrics, FIDO devices and other strong authentication methods that don’t rely on traditional passwords.

Keep your eyes on the prize

You’re not going to eliminate passwords overnight, and you may have some systems and applications – both legacy and SaaS – that will continue to require passwords for a time, if only for a small subset of users. Ultimately, though, ending costly large-scale password management, reducing the risk of a credentials-based breach, improving the user experience and other benefits make moving to a passwordless future well worth the initial effort.

Historically, organisations offered remote work options as a way to attract and retain top talent.

Equally, it was an opportunity to act as a competitive differentiator and enable agility.

But, as remote operations become the norm, companies can employ exactly the right person for the job. No longer is it relevant where your staff lives, in relation to your offices; the world has opened up.

However, remote work options can bring their own issues. For instance, it is critical that organisations have the right level of threat visibility and response in place to support workers.

In all of this change, still, business continuity remains imperative. Therefore, organisations need to ensure they stay ahead of threats to minimise any impact on their business.

As technology has evolved, we now live in a time of immediacy, urgency and high expectations.

As a result, everything needs to be speedy and efficient: from grabbing a take-away coffee to business solutions.

For example, employees staying connected and productive anywhere in the world is no longer just considered a benefit, but a real necessity.

This is particularly relevant in the current climate. Whilst COVID-19 has forced us further into a remote working world, the ease in which we’ve all adapted is remarkable.

Further, the benefits of the convenience and effect on the environment are supported by our overwhelming reliance on technology. However, this remarkable transition is not without its fair share of added challenges.

With help, firms don’t need to worry about contravening strict rules on data access and GDPR regulations. Nor do they need to worry about loss of data due to malicious attacks or plain forgetfulness.

Organisations are turning to cloud and mobile applications.  As a result, their risk of being attacked is increasing, leaving their systems exposed.

In addition, there’s a probability that a single compromised identity can lead to a catastrophic data breach. With most attacks relying on compromised identities somewhere in the chain, identity has become the most consequential threat vector.

Now, more than ever, organisations need a high level of assurance that users are who they say they are.

Therefore, to be effective, and to ensure their businesses stay agile, they need a secure access solution without the need for passwords.

The whole package must be user friendly; not slow users down or be too complex.

It must provide them with a common and convenient experience, to any application, from any device.

Originally posted 2022-08-17 12:50:18.

Bharat Panchal
The Business Bulletin

Don't miss out...

Enter your email address to ensure you receive the next edition of The Business Bulletin as it is published.

Bharat Panchal

After 30 years working in IT, Bharat decided to focus on helping businesses by offering the RSA SecurID® Suite which uses identity insights, threat intelligence and business context to provide secure access to all their users, across all their applications. Still traditional IT resellers, offering services and support in all IT matters however, what he actually does is deliver peace of mind to end-users and to management. With Bharat's help firms don’t need to worry about contravening strict rules on data access and GDPR regulations or about loss of data due to malicious attacks or plain forgetfulness.

Has there ever been a better time to ditch the password?

by Bharat Panchal Time to read: 3 min