It’s finally time to go passwordless | SC Media

It’s finally time to go passwordless

September 28, 2020
High-profile account takeover cases like the one at Marriott are viewed as a driver to move organizations toward passwordless authentication. Today’s columnist, Jasson Casey of Beyond Identity, updates readers on the industry’s progress. (Photo by Eduardo MunozAlvarez/VIEWpress/Corbis via Getty Images)
  • Risk reduction. Eliminating account takeover has become the main argument for passwordless authentication. According to the 2020 Verizon Data Breach Investigations Report, 80 percent of breaches use stolen credentials, either through database leaks or phishing attacks. When user identities are no longer tied to a shared secret like a password, the risk of account compromise reduces to essentially null. In a symmetric system, both the user and the system store a password, creating two points of vulnerability with equal yield to the hacker. In an asymmetric system, private keys stored by the individual are used to sign, while the public key stored by the system gets used to verify signatures. A hacker who compromises the system would yield nothing usable, since the public key on its own can only verify items signed with the private key.
  • Ease of use. Many new products attempt to solve the risk issue by adding more authentication methods on top of the password, such as one-time codes or mobile push notifications. However, these approaches reduce user convenience. Multi-factor authentication may reduce the risk of account takeover, but it also impedes ease of use. Requiring frequent password resets does little in the way of security, and, according to Gartner, accounts for 20 percent to 50 percent of IT help desk calls. A more complex login process only exacerbates the strain on the user, whereas a passwordless login eases it.
  • Proliferation of Trusted Platform Module/secure enclaves in hardware devices. When introduced in the late 2010s, they offered a safe place to generate and store private keys that can be used in the passwordless authentication process.
  • Prevalence of device biometrics. In the event of device theft, the inclusion of biometric authentication on all modern devices makes it nearly impossible for anyone but the owner to access the contents of the device.
  • Emergence of FIDO. The  FIDO Authentication framework enables widespread adoption of PKI-based authentication across web applications.
prestitial ad