A Passwordless Future is Getting Closer and Closer

A Passwordless Future is Getting Closer and Closer

May 22, 2022 / Kron

A significant portion of the security vulnerabilities that open the door to cyber attacks are caused by defective passwords. More than 80% of data breaches that occur today are due to misuse of passwords. It is estimated that companies allocate more than $1 million a year on password resets. According to the Passwords and Efficiency 2021 survey conducted by a technology company in the USA, 60% of office workers who took part in the survey say that difficulties with the passwords they use slow down their work and reduce productivity.

Considering these challenges and the dangers of being hacked, Passwordless Authentication methods eliminate the need for end users to store or create passwords or remember the existing ones. Passwordless authentication, which eliminates the risk of password breaches, both reduces costs and protects the user data and the company's cloud environment. With passwordless authentication, passwords that are likely to be forgotten or captured are replaced by other more secure authentication factors such as biometrics or PINs.

Apple, Google and Microsoft Aim to Remove Passwords

Apple, Google and Microsoft, considered the world's technology giants, intend to join forces to implement their joint plan that standardizes passwordless authentication, and therefore passwordless login.

Apple, Google and Microsoft are getting ready to implement the passwordless standards of the FIDO Alliance (Fast Identity Online Alliance), an industry consortium formed to develop new authentication technologies on Android, Chrome, iOS, macOS, Safari, Windows and Edge devices. It is foreseen that in the near future, you will not need to use passwords for applications, devices and websites, and passwords will be replaced by keys to be paired with devices. It becomes almost impossible to capture keys that are paired according to the standards set by the FIDO Alliance, in which Apple, Google, and Microsoft collaborated on.

Microsoft's FIDO2-based identification solutions are thought to be more secure, faster, and easier than existing password or multi-factor authentication methods. Apple, the favorite of technology enthusiasts with its intuitive and capable devices, especially emphasizes that they support a transparent and secure user experience that provides better protection and prevents password vulnerabilities.

These standards are already supported on some Apple, Google, and Microsoft devices, while he current login method can only be used on a single device at a time. It is foreseen that it will be possible to log in to more than one device after the first registration, once passwordless authentication is fully implemented.

So What's This Passwordless Authentication?

Passwordless authentication is defined as an authentication method that allows the user to access an application or cloud environment without entering a password or answering security questions. With passwordless authentication, users do not need to create, store, or remember passwords. The user will be able to access any system by means of authentication methods such as a single touch, glance or a code provided by the hardware. Passwordless authentication, which meets standards such as Fast Identity Online (FIDO2) and Web Authentication API (WebAuthN), is making its way to different platforms.

Passwordless authentication speeds up access to applications and other services, while increasing security and drastically reducing IT support costs, and is used in conjunction with solutions such as Multi-Factor Authentication (MFA) to strengthen cybersecurity measures.

The impact of digitalization on the development of today's business world is undeniable. Access to almost all applications, which are more involved in business processes with digitalization than ever before, is made through the passwords determined by the user, specifically for each application. With the increase in applications, the number of passwords to be memorized also increases. Moreover, it is necessary to change these passwords frequently. Users prefer to use similar, or the same passwords, or weak passwords for all applications, to keep it easy and practical, to make access faster, and sometimes so they don’t forget. Of course, this choice comes with consequences. Cyber attackers can turn selection of weak passwords into an advantage in data breaches by using methods such as ransomware, malware and phishing.

The preference for simple methods, such as a combination of username and password as an authentication method, makes the system vulnerable to cyber attacks. Cyber attackers can capture user information by accessing other accounts through methods such as,

  • using credentials leaked from a different account
  • generating random username/password combinations or using programs to determine commonly used weak passwords
  • obtaining credentials by hijacking communication flows
  • phishing using fake e-mail or text messages to trick a victim into replying with their credentials
  • installing malware on the computer to capture the user's keyboard keystrokes (keystroke logging or keylogging)

Passwordless Authentication Reduces Cyber Risks

Passwordless authentication, which eliminates risky password management and takes cybersecurity to the next level, buys users extra time and contributes to their productivity by eliminating problems such as password setting, memorization, and frequent change. Passwordless authentication uses methods such as proximity cards, FIDO2 compatible USB devices, or physical tokens for authentication. Methods such as software tokens or certificates, fingerprint, voice or retina scanning, and mobile phone applications can also be used for passwordless authentication.

Passwordless authentication is often used with Single Sign-On (SSO) and MFA features. Thanks to the SSO solution, the user can access all corporate applications and services using a single proximity card, security token, or mobile application. Passwordless authentication can be combined with MFA, requiring the users to perform an additional authentication, such as entering a one-time code or fingerprint scanning, when accessing applications or accounts.

Recent MFA solutions support adaptive authentication methods. The authentication method to be used for a specific user in a particular situation is determined according to contextual information such as IP address, device, time and location, and the policies of the organization.

Passwordless Authentication and Privileged Access Management (PAM)

Passwordless authentication offers great advantages for users and organizations in terms of security and efficiency. Privileged accounts are among the critical credentials that enable companies to access their digital infrastructure, and are considered to be the most dangerous vulnerability if they are compromised. These accounts, which can turn into both internal and external threats, can cause cyber attackers to damage the IT infrastructure and disable security controls. Therefore, privileged accounts require a transparent and highly visible security control in an auditable environment. At this point, Privileged Access Management (PAM) solutions protect the credentials that users should not know, while guaranteeing cybersecurity with additional security layers such as session monitoring, logging and threat detection.

Services that can access service accounts and servers can be managed by passwordless authentication, if the Privileged Session Manager and Dynamic Password Controller, core modules of Kron’s Privileged Access Management solution Single Connect, are used together. The Privileged Session Manager allows for managing, monitoring and auditing privileged accounts within the company, keeping privileged accounts in the system secured against internal and external threats. The Dynamic Password Controller, another Privileged Access Management solution, stores all passwords in an encrypted secret safe, and  automatically generates unique passwords, contributing to the enhancement of the Privileged Access Management experience. The combined use of the two solutions in an IT infrastructure takes security to a higher level with passwordless authentication, and creates a robust protection shield around privileged accounts, especially against cyber threats such as malware, ransomware, and phishing.

If you would like to benefit from state-of-the art solutions that support passwordless authentication technology, Single Connect's Privileged Session Manager and Dynamic Password Controller are the obvious choice, enabling you to augment efficiency with the advantage of high-capacity access and data security. Do not hesitate to contact us for further information and questions about Single Connect, Privileged Session Manager and Dynamic Password Controller.

 

Other Blogs