This way most of us do feel safe, although we would like to get rid of all those passwords. Nevertheless, we should not have any illusions about the security of passwords.
The well-known annual security survey by the American telecommunications company Verizon shows that more than 80 percent of security incidents worldwide are the result of misuse of user login details. This data may be stolen, or criminals use brute force techniques to crack passwords. Wouldn’t it be ideal if you could log in securely without a password? Passwordless may very well be the solution.
Passwordless is the new buzzword in the security industry and numerous definitions are already circulating. At Traxion we use the following definition: “Passwordless Authentication is the authentication of an end user without having to use a password. Whether that is a traditional password, a PIN or a One Time Password (OTP).”
You could also consider other forms of authentication, such as a security questions and captcha, a password. With both, you also have to authenticate with something that you personally know, or you as a person, can know. You could argue that everything you know is in a sense a password.
Passwordless is on the rise. Big names such as Google, Microsoft, Apple, Amazon and Samsung have been working on this for a while and are investing millions in this. They invest in passwordless because they see it as the answer to the increasing demand for user-friendliness and security at organizations. This need exists in every type of company, but especially in organizations that attach great value to an optimal user experience, but that cannot afford a data breach and therefore need to have their security in order. In addition, this need is also fueled by the movement towards cloud-based applications that are available from any device with internet access.
From a security perspective, a passwordless solution is obviously advantageous. Think about it: without passwords, for example, most brute force methods, phishing attacks, keyloggers, password spraying, credential stuffing methods and man-in-the-middle attacks are no longer relevant.
If you are considering a passwordless approach as an organization, there are various options, including a push message to a mobile device (with the question whether the user wants to log in), biometrics (fingerprint or facial recognition), a managed device that connects exclusively to the company network and software or hardware tokens. The choice for one or more of these options is determined on the one hand by the needs and requirements set by the business. On the other hand, this depends on the possibilities within the security landscape of the organization.
In addition to advantages, there is also a downside. For example, it may well be that your existing IAM systems do not support passwordless. If you want to use this form of authentication, an investment will be needed in an environment that does support this. Furthermore, a choice for biometrics may pose problems in the area of the new European privacy legislation. This data falls under personal data and the management of this must comply with strict regulations according to the GDPR.
Furthermore, it is clear that cyber criminals will not sit still and will look for possible weaknesses of passwordless or for the next weakest link, for example user enrollment. Users will also have to get used to this new way of authenticating. Username and password are part of our everyday life in such a way that another way of authentication is not simply embraced.
In addition, we see that forms of passwordless authentication use a backup authentication method based on a password, which negates the security benefits of passwordless. A nice solution for when your face is suddenly not recognizable with facial id, but for attackers easy access after they have managed to get hold of the backup password.
Also, compared to the traditional password, passwordless is more expensive in terms of implementation and possibly also in use.
Despite these sidenotes, we believe that passwordless bridges the gap between user-friendliness and security. It offers an organization the opportunity to really do something about the weakest link in its security: human password management. Ultimately, users will also be happy if they no longer have to keep up with long lists of accounts and passwords but can log in from anywhere in an easier way.