Security Staff Acquisition & Development

Chart a course to the passwordless future on World Password Day

Today’s columnist, Don Shin of Secret Double Octopus, writes that while some purists want to eliminate all passwords, offload password management to the admins via Passwordless MFA may be more practical.

It’s World Password Day, do the company’s users still rely on passwords? Has the security team replaced them? Passwords are no longer considered a secure way to log in, so what does the company plan to do about it?

The Identity Theft Resource Center (ITRC) found that a whopping 51 million people had their data compromised in Q1 2021. This statistic and other important findings from the ITRC’s Q1 2021 Data Breach Report point to the continued focus on credential theft among cybercriminals. Further, with much of the workforce still at home, many security experts warn that cyberattacks will continue to rise and that more than 80% of breaches are caused by insecure or compromised passwords. While passwords inherently introduce risk into the organization, there are easier and more effective ways the team can protect its crown jewels.

Here are some best practices to consider when giving users a more efficient and secure way to login:

  • Beware of shared secrets.

Does the organization use a shared secret to authenticate users? Shared secrets, or information known by both the server and client to authorize the user, are often almost anything from passwords, to a one-time code, to a series of personal security questions. If the company’s multi-factor authentication (MFA) uses multiple insecure factors based on shared secrets, then it’s leaving the attack surface wide open to hackers. If the company attempts to protect them with a second factor, this other factor or replacement should not also be a shared secret. Any additional factors used should only get stored locally in a secure enclave to decrease the likelihood of being compromised or breached. Further, with traditional MFA’s security flaws, make the factors as secure as possible to protect the organization.

  • Keep productivity top of mind.

When adding security to the login process, it’s imperative to make sure it doesn’t inhibit user productivity. With traditional 2FA/MFA, users often have to hunt down a second device, whether it’s a cell phone or a hardware key, and retrieve a code from a text, email, or authenticator app that displays for only a few seconds. Then they have to move quickly to type the code in or respond to the push notification before it expires. Additionally, it’s challenging and sometimes impossible to implement the same kind of MFA across apps universally, increasing the difficulty in user training and widespread adoption. If the organization still requires these manual efforts, consider it may slow down user productivity, making logging in securely a burden for users. It’s also important to ensure that any authentication method doesn’t add friction to the user experience and to time- and cost-saving measures, especially as traditional MFA often comes at a high cost to efficiency.

  • Make it secure, but make it easy.

In addition to decreasing user productivity, if the company makes its security processes too complex, users will overtly work around them. By having a login process that requires longer, stronger passwords, users end up storing their information in a shared document or a sticky note. Rather than improving security, adding complexity and user friction will often increase risk, leaving the organization more susceptible to a cyberattack. Make the secure authentication method easy, so that users don’t circumvent security and inadvertently put the organization at risk.

  • Eliminate passwords.

With all these potential difficulties considered, eliminating passwords altogether can help the company keep all its applications and resources safe and secure and make the users happy. There are solutions today that can accomplish this. Unlike traditional MFA that’s subject to phishing and other attacks, replacing passwords with a solution that uses only secure factors, like biometrics, or factors based on asymmetric cryptography (X.509 certificates) offers far greater security. Asymmetric crypto uses two different keys, a public key that users can share with anyone, such as the authentication service, and a private key that remains securely stored on the endpoint. Users can validate a certificate signed with the private key with the public key for authentication purposes. These fundamentally strong authentication methods prevent hackers from attacking in the first place, and assist organizations of all industries and sizes in reducing risk by eliminating all password-based attacks.

While it may seem like a daunting task, there are many existing solutions for going passwordless. The best products offer users a frictionless, secure login experience. It all starts by finally accepting that the existing system based on passwords must change.

Jasson Casey, chief technology officer, Beyond Identity

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.