The introduction of password-free technologies is a tactical move to support initiatives to strengthen information security, based on simplifying user actions. By removing a password as a primary authentication factor, laptops and PCs can be registered with biometrics, while for web applications this is likely to be FIDO2-based authentication.
Take a moment and try to remember your first time online or maybe the first session behind the terminal. The expectation that something is about to happen. You are prompted to enter your password. Your first password. What have you typed?
I have a slight nostalgia for my first passwords, I admit. After all, they meant something to me. A small piece of text, a secret that only I and my computer knew. But I was not the only one who chose such passwords. At the end of last year, enthusiasts
Usually I would come up with joking passwords. Sometimes I made promises to myself (saveMoney! – “saveMoney!” – and [email protected] More – “[email protected] Longer”). I bet you did the same thing. What has changed?
It makes sense to come up with a password when it is the first one. You can make jokes with two or three of the following ones. And what do you do when there are hundreds of them? Invent another unique phrase? What a boredom. Only an old, long known password can be worse (don’t tell me you don’t use them). Remember the original idea of password stickers that seemed at that time? Who would have a place on a monitor to put a hundred of these stickers?
I do not cook soap. I don’t pluck chickens. And I don’t invent passwords anymore. Today, most of my passwords are generated randomly. To be honest, I can’t wait for random passwords to be in the same place as home soap, acoustic modems and CRT monitors.
Let’s try to look into a steamless future.
When passwords are not needed
For passwords to disappear, they must first become less. Locally, you can set a password manager as a workaround. Centralized – single sign-on (SSO) registration system. The idea is to define the authentication processes to be used and then start reducing complexity.
Problems are waiting for us on this way. First, the task is not as simple as it seems. On average in corporate environment there are 191 passwords per user. It takes time to organize, evaluate and consolidate them. Secondly, passwords are still compromised. Although there are fewer passwords, they remain the same as they were – a long-term common secret as the main authentication factor.
It is possible to improve information security by eliminating passwords as the main authentication factor. For example, on laptops and PCs, it is possible to register with biometric data using Secure Enclave technology and Trusted Platform Module (TPM) for Touch ID or Windows Hello applications. For web applications, this is likely to be authentication based on the FIDO2 specification, which uses WebAuthn (Web Authentication) and CTAP (Client-to-Authenticator Protocol) standards. In the future, passwordless access will be implemented for all corporate options (hybrid, cloud, local, and legacy applications).
For users, a life without passwords means faster authentication with minimal costs. Criminals are faced with information technology where there are no shared secrets that can be copied, reproduced or cracked with brute force. And for administrators to live without passwords is to gradually find opportunities to use passwordless technologies and gradually implement them to the full satisfaction of users.
“Quick Wins and Long-term Perspectives-Free”
The strategy requires stimulating people and allocating resources to achieve the goal. As I wrote in the article “
It is not everywhere that passwordless authentication is implemented without problems. One example is the inability or unwillingness of staff to use biometrics. As we have recently seen, this can happen when personal protective equipment interferes with the recognition of faces or fingerprints. In addition, some people find it difficult to register these fingerprints. This is most often the case with senior staff. Another stumbling block awaits us where sharing equipment is the norm, for example, in operator centers. Many password-free solutions tie an employee to his device for strict authentication. This model does not work when several people use the same device. In such cases it is better to work with other models first, waiting for the next technical achievements.
Many standards require that a password and one or more additional factors are used for authentication. Of course, it can be argued that passwordless authentication provides the same level of security, but standards and auditors need time to absorb new developments. Now it is best to start negotiations with internal audit, in the meantime proving the advantages of passwordless technology in other areas.
In order for organizations to prepare themselves for the implementation of password-free technologies, we have published new information material:
Passwordless involves a gradual transition from password authentication to other methods. The ultimate goal is to improve the work processes of the employees, getting rid of many loopholes that criminals use today to gain access.
It is not everywhere that the transition to passwordless technologies will go smoothly. We are at the very beginning of the journey, and it takes time for infrastructure and staff to be prepared. But it is not so bad: we can engage in strategic planning and implementation of this transition at this time.
I don’t know about you, but I would be interested to see how my password will be cracked in 40 years. “What did he mean by Wdx8yJGzXXOuobE3?” – will be asked by an unknown hacker, wondering about the times when people had to manually enter the registration data.