Passwords have become the default security method for protecting accounts of every type, from social media to the most highly classified and confidential digital information.
Nic Sarginson, principal solutions engineer at Yubico.
Although better than having no protection at all, passwords have been proven to fall susceptible to today’s most common cyberattacks, and are prone to common credential stealing scams such as phishing, password spraying, and man in the middle (MitM) attacks. They are the least effective method of securing online data, and they no longer live up to the task they were originally set out to accomplish. Their wide scale use is quickly proving to be an outdated practice.
As businesses continue to move away from traditional usernames and passwords, they are faced with several alternatives. From multi-factor authentication (MFA) options to hardware security keys, to FIDO protocols, interoperability between all systems is vital. This is the solution for reducing the global reliance on passwords.
Steering towards passwordless authentication
More and more organizations are moving towards passwordless authentication whereby accounts are secured with alternate methods to the traditional username and password combination. Organizations looking to steer their cybersecurity in this direction should strongly consider opting for MFA or strong two-factor authentication (2FA) solutions to integrate into their overall cybersecurity strategy. Both MFA and 2FA authentication solutions require a user to present two or more forms of identity verification as an added layer of security to permit user access.
What FIDO is and why it matters
FIDO is a set of authentication protocols specifically aimed at providing secure authentication, protecting users’ privacy, and reinforcing existing password-based login processes. FIDO2 reflects the newest set of digital authentication standards and is a key element in addressing issues surrounding traditional authentication and eliminating the global use of passwords.
It allows users to easily authenticate via devices with built-in security tools – like fingerprint readers, smartphone cameras, or hardware-based security keys – to access their digital information. More and more corporations are now opting for MFA solutions and FIDO2 protocols also supported by global organizations, OS platforms, and online browsers including Apple, Salesforce, Twitter, Google, Microsoft, and the US Government.
How to go passwordless
Implementing any passwordless solution is not always a straightforward transition, as not all solutions are created equal. There cannot be a one size fits all approach for organizations looking to fill in security gaps and meet regulatory requirements. It should be a process that is well thought out and addresses both security and overall users’ needs throughout the organization. In general, there are several vital steps organizations can follow to enhance their security via passwordless authentication.
The first of these is to determine a preferred solution based on the unique needs of the organization, as this will differ company to company. Therefore, it is important to start by assessing the current technical environment to determine a solution which is more compatible. Those with a cloud-first environment can expect implementing FIDO2 passwordless to be a much easier process than those without, for example. However, those with an on-premises active directory environment may find smart card passwordless implementation to be a better option.
At this stage, it is generally advisable to seek advice from a professional services expert to understand how the process will play out and whether the preferred solution is in fact the best choice for the organization. Speaking to specialist advisers will ensure that there are no nasty surprises. Once the plan has been ironed out, it is time to establish a proof of concept (POC) with a small user group.
Understand your users
When it comes to establishing a POC, the first thing to do is to create an environment that will show the end-to-end connectivity between the existing systems and current authentication technology amongst key users or user groups. Then it must be proven that the intended passwordless solution can run with use cases, users, and essential systems at its earliest phase. This must then be tested against the defined success criteria.
Next, it is time to move onto larger groups and ensure that the chosen strategy will accommodate user workflows. To ensure this, organizations must gain a detailed understanding of the needs, behaviors, devices, and access points of their users. For example, organizations with a large remote workforce based around more traditional infrastructure and corporate devices may find smart card passwordless most suitable. Whereas organizations looking to be more cloud first, with a bring-your-own-device (BYOD) or mixed device environment, may find FIDO2 maximizes the portability of their solution.
Interoperability is the key to all stages of the passwordless journey, so it is vital that organizations determine how the chosen passwordless strategy fits into, and works with, existing processes. Taking the time to carry out the above steps should ensure that there are no major surprises. However, organizations must test their chosen strategy before launching it. Removing any potential problems and giving users plenty of time to trial out the new process, and ask any questions they may have, will make the launch much more successful. This is also a really important step in making sure that all employees know what is required of them and feel that they are part of the process, rather than having the process thrust upon them.
Finally, following the deployment of the solution, organizations must regularly refer to their predetermined success metrics to gauge the passwordless solution’s level of success. These metrics can include an assessment of the financial impact, a review of the number of IT requests related to the new passwordless solution, the increase in authentications through the passwordless solution throughout the organization, or an overview of how users are receiving the solution.
The road to passwordless is not always smooth, and certainly does not have only one correct route. However, organizations can make the journey easier for themselves by making sure to factor their users in at every stage, and by focusing on interoperability. Passwordless solutions should make life easier and more secure for all users.
