We all know how insufficient passwords are, but what are the alternatives?
The username/password model has been around for some time now. But in today’s digital-first world, who can remember a unique password for each of their online accounts – personal and corporate?
The many reports of stolen or hacked passwords suggest that this relatively archaic method of identity authentication is a broken model. If a password exists, then it can be hacked. What are the alternatives?
Smartphones are helping to popularize new forms of authentication, but do these methods effectively provide the kind of cybersecure authentication that businesses need?
CybersecAsia discusses with Ajay Biyani, Managing Director, ASEAN, ForgeRock, the inadequacy of passwords, and how enterprises can embrace a password-less future.
The jury’s still out on a password-less future. In your opinion, in what applications would passwords still play a role in cybersecurity, and where would it no longer be necessary?
Ajay: Passwords are the ultimate lose-lose — they clog up business processes and are a poor user experience, posing a security risk to enterprises.
The high volume of passwords users have are too difficult for most to remember. As a result, users typically reuse passwords or use easily guessed ones, making the systems only as secure as the weakest one. As a result, passwords are the leading attack vector used in data breaches.
Enterprises have been well aware of these risks, but haven’t had a viable alternative due to legacy technology and a lack of integration standards.
Consumers on the other hand leverage on their smartphones, computing devices or hardware token to authenticate online services. This means we see significant uptake for password-less on the consumer front. This is evident as smartphone manufacturers for example, have been fostering this “movement” by eliminating the traditional barriers and inertia that prevented the removal of passwords.
This process began with the use of biometrics in smartphones and has made its way to almost every device we interact with.
“If a password exists, it can be hacked.” What are the implications for business users today?
Ajay: Passwords are vulnerable to cyber hacking attempts and can often lead to large data breaches. Every industry – from financial services to hospitality – has seen major security breaches due to compromised credentials.
Avoiding passwords can benefit businesses in the long term, but as we know, it’s often easier said than done.
What alternatives are available for enterprises today?
Ajay: Until recently, there was no easy way to use biometrics to drop passwords unless enterprises were willing to endure tedious efforts to retrofit their applications.
Even when biometrics sensors became ubiquitous, there was a huge gap between the sensor and the applications that needed to use it for login. Enterprises would potentially need to build integrations for each biometric sensor on each platform for every application, as there was no standard to tie them together.
With that said, most multi-factor authentication systems actually take less time and require less from enterprises.
FIDO Alliance has developed and promoted free, open standards that have accelerated password-less authentication, so it can be more easily adopted.
In 2018, FIDO adopted the WebAuthN specification created by the World Wide Web Consortium (W3C) as part of its FIDO2 standard. This provides an application programming interface (API) that can be easily implemented on any website or service and can communicate directly to browsers like Google Chrome, Microsoft Edge or Apple Safari to initiate FIDO-based authentication. This democratized password-less authentication in a significant way as it enables users to leverage on common devices to authenticate to online services in mobile and desktop environments.
How should enterprises go about embracing a password-less future to protect users and data?
Ajay: There are many systems enterprises can adopt to embrace the password-less. The rule of thumb is to incorporate as many factors between users and your database as possible to keep information secure. One should also take the enterprise use case into consideration to determine the appropriate integrations. This includes studying the industry they operate in, who the users are, enterprise size, and the vendors involved.
The ForgeRock Trust Network is an extensive ecosystem of more than 75 partners, allowing customers and their users to have the flexibility and choice to embrace this, beyond biometrics.
This includes solutions such as optical codes one scans with their smartphone replacing usernames and passwords, or proximity technology that can determine if one is standing in front of an ATM.
Others include:
- Centralized biometrics: We should never expect individuals to manage their own devices, and this is why centralized biometrics is important to take that responsibility away from the end user. Centralized biometrics enable enterprises to do things like free seating, where one doesn’t need to enroll individual devices and marry them to individual users. This is especially relevant in healthcare and government applications.
- Multi-modal authentication: Multi-modal solutions are useful in situations where a company wants a choice as to which mode of authentication they prefer and be able to provide the user with the same choices.