Nobody likes passwords - they take precious time, money, and resources to manage. Yet, as annoying as passwords can be to manage from a user perspective, they are essential in securing your data. They are the most used first line of defense against any unauthorized access to your accounts and personal information.
When it comes to managing passwords, according to the Ponemon Institute, 53 per cent rely on their memory. The plethora of devices, apps and accounts the average consumer has access to means remembering all their passwords becomes less and less realistic. This promotes habits like password reuse and recycling, further fueling the potential security risks.
While password managers can help, to strip out the complexity of how to manage passwords ourselves while saving IT managers a lot of money and time, we simply need to reduce reliance on passwords. Enter passwordless authentication.
Simply put, passwordless authentication provides an alternative form of authentication to enable secure user access. The benefits of this range from stronger security, and better user experience to a reduced total cost of ownership (TCO) for IT managers.
Still need one
A passwordless experience is not necessarily about being without passwords. For example, mobile push authentication provides a passwordless experience to the user, but still relies on an underlying password for initial access.
The same goes for another method of passwordless authentication, called FIDO (Fast Identity Online) Authentication. While FIDO authentication provides a more secure passwordless experience than mobile push, it still relies on a password for initial registration and the password continues to exist post key generation. As well, FIDO keys work on the basis of possession, so if I have someone else’s FIDO token/key, then I can assume that person’s identity.
Go for FIDO
While mobile push and FIDO authentication have a plethora of benefits to the user, a third method really does remove the password altogether. Truly passwordless Credential-based authentication works by removing the physical password and replacing it with a digital certificate.
The certificate is provisioned onto the worker’s mobile device, transforming it into their trusted digital identity. When the phone is unlocked via the user’s biometrics (i.e., fingerprint or facial recognition) and in close proximity to their workstation, they are automatically logged into the workstation and able to access all of their applications without having to re-authenticate themselves.
But what happens when the user walks away from their device? They are automatically signed out of any apps they were using and logged out of their workstation. Plus, with a PKI-credential-based solution not only can the identity of the user be validated by a public Certificate Authority (CA), but users are also able to send signed and encrypted emails, digitally sign documents, and encrypt files.
As organizations in the Middle East continue to digitally transform, especially in light of the trend of remote working, it will become increasingly difficult to maintain a standard use of passwords. Passwordless authentication can help ease the friction, as well as reduce a lot of administrative overhead, both for IT departments and end-users.
The questions I will leave all businesses are: Are you avoiding reusing passwords across accounts? Are you using two-factor authentication? Is your password list protected? Are you considering passwordless authentication?
If you can answer these questions with a ‘yes’, your security posture will be enhanced substantially.
