Imagine a world with no more passwords. No more prompts to enter a username and password before gaining access to a website, service, or workstation. You’ll no longer be inconvenienced by an expired or forgotten password that you must change. Sound far off or like an outlandish concept? It’s probably not as far off as you might think and certainly not outlandish since you are probably already using this technology today without realizing. While the last few blog posts have focused on ways to make authentication more secure by adding MFA or utilizing password managers, we will turn our attention towards the future of authentication.
The discussion about the retirement of passwords has been on-going for a few years now. As threat actors have evolved overtime, passwords have become more of a pain point. Users had to increase the complexity of their passwords, start using different passwords for different logins, and then were told that length outweighs complexity when choosing passwords. On top of the general hassle with passwords, additional products, like MFA and Password Managers have been added to address some of the shortcomings of passwords.
How Does This Work?
If we stop using passwords, how do we authenticate going forward? The replacements for passwords become something you are or something you have. Many of the current forms of passwordless authentication share commonalities with MFA solutions of which you may already be familiar. Depending upon how you implement MFA, your organization may deploy key fobs (something you have) which will provide an OTP code to be entered as a second factor of authentication. In a passwordless authentication scenario, the key fob itself could be used to grant you access without the need of inputting credentials.
Some advantages of going passwordless authentication include:
- Improved user experience – With a streamlined approach to authentication, users won’t have to struggle with password resets, password managers or some of the other headaches that come with passwords.
- Improved security – This will eliminate many of the current password-based attacks that plague organizations today.
- Improved productivity – Users have a higher likelihood of staying on task when they don’t have to be concerned with password resets.
Current Examples and the Future
As mentioned at the beginning of this post, you may already be using passwordless authentication without realizing. This is true if you own a vehicle that unlocks when you approach with the key fob and touch the door handle. Other examples are systems mobile phones or laptops that allow access via facial or fingerprint recognition.
Over the past couple years, some vendors and leaders in the IAM (Identity & Access Management) space have made strides towards a future without passwords. Although these solutions exist, the progress isn’t far enough to warrant a wholesale adoption of passwordless authentication.
You may also ask, “Do I still need MFA with passwordless authentication?” The answer is yes. Since much of security is about layers of protection, it’s important to maintain those. Let’s take the example of a key fob that is used for passwordless authentication. That key fob has the potential of being stolen and if it were the only means of authentication, the threat actor would be able to use said key fob to obtain access. If on the other hand, the key fob is paired with a thumbprint recognition, the threat actor’s act of stealing the fob would be undermined by the thumbprint authentication component.
Source: Microsoft
VENYU is Here
As always, if you have additional questions or would like someone to discuss passwordless authentication in more depth with you, please open a support case using the customer portal at https://portal.myvenyu.com
References
- NIST Digital Identity Guidelines – https://pages.nist.gov/800-63-3/
