For most of our online lives, our accounts are protected by a username and password. These protect the data stored in our accounts, including financial, personal and pretty much anything we value both digitally and physically.
As there are many ways to achieve a goal, so too we’ve discovered over the years that cybercriminals are more than happy to expend the effort to hack into our accounts – everything from brute force attacks to outright stealing our passwords through social engineering techniques.
Can we go passwordless? The quest for a passwordless authentication solution is forecast to reach US$53.64 billion by 2030. According to the State of Global Enterprise Authentication report by Yubico, 59% of employees (surveyed in the study), still rely on usernames and passwords as their primary methods to authenticate into their accounts.
Gartner principal analyst, Swati Rakheja, says passwords have persisted primarily due to being free and highly ubiquitous in many enterprise systems. She acknowledged that passwords have long been proven insecure.
“Issues such as poor memorability of passwords, weak or reused passwords, password storage, phishing, social engineering and brute-force attacks persist with the use of passwords.”
Swati Rakheja
Geoff Schomburgk, vice president for APJ at Yubico, defines passwordless authentication as any login process that doesn’t require the user to enter a password.
Rakheja says passwordless authentication may leverage public key cryptography to provide a stronger mechanism to authenticate a user. She acknowledged the expanding use of passwordless options particularly in online applications and SSO providers but noted that enterprise implementations remain nascent.
In 2011, Google and Yubico invented the Fast Identity Online (FIDO) standard to provide universal second-factor authentication. This partnership evolved to become the FIDO Alliance. In 2021, Microsoft made passwordless authentication, based on the FIDO2 standard, to access Microsoft accounts.
Today, the FIDO Alliance includes players like Identity Access Management (IAM) vendors, Virtual Private Network (VPN) vendors and others who are all providing their support for the FIDO2 standard.
Driving interest to go passwordless
Continuing high-profile cyber attacks such as the Colonial Pipeline in the US, SingHealth in Singapore, the Shangri-La hotel chain in Hong Kong, and the Optus in Australia, all suggest that enterprises and consumers remain vulnerable to cyberattacks.
Schomburgk says cyberattacks persist because of lax security habits and the inconvenience of current authentication practices.
He notes that over 80% of data breaches are a result of stolen or compromised credentials – username and password. With an average user having at least 100 different online accounts, each with its own user ID and password, and different requirements to change passwords, managing these quickly become challenging.
“If we can provide a secure solution, but also easy, where we don’t need to use or don’t need to rely on the password, then that will drive adoption,” opined Schomburgk.
Passwordless and zero trust
Software supply chains have become a new attack vector. In a VentureBeat article, Janet Worthington, senior analyst at Forrester, explains that a software supply chain attack occurs when a customer installs or downloads compromised software from a vendor, and an attacker leverages the compromised software to breach the customer’s organisation.
“Adopting zero-trust principles with all software including third-party software can help to mitigate the risk of a supply chain attack,” he added.
Schomburgk claims that the application of passwordless authentication is one of the easiest things to implement when it comes to zero trust.
“In a zero-trust world, your login is your front door. Criminals don’t break in, they log in! When it comes to zero trust, the simplest way of doing that is to make strong authentication at that front door and make the strongest level of security so that you protect that front door. The best way to do that is like what you do in your house, use a physical key a security key like a YubiKey."
Geoff Schomburgk
Is passwordless authentication ready today?
Schomburgk believes passwordless authentication is a medium-term proposition in the next two to three years before it can become mainstream.
He pointed to Microsoft’s implementation of passwordless to their Azure platform. The 2022 announcement by Google and Apple for support of FIDO2 will push passwordless adoption further. The partnership between the FIDO Alliance and the World Wide Web Consortium (W3C) aims to standardise FIDO Authentication for the entire web platform.
Making passwordless mainstream
For passwordless to become mainstream, supply and demand must meet in the middle. He says the supply side – the ecosystem of developers, standards bodies, etc – is already making it available.
He acknowledged that much needs to happen on the demand side. He cited the recent effort by the Biden Administration in the US to mandate the use of phishing-resistant authentication for all government agencies. This could mean a smart card or FIDO2 standard.
“Anyone doing business with someone doing business with the US government will then also be required to. That will facilitate adoption from the user side,” he posited.
He conceded that not everywhere is ready to mandate or enforce this. “We see many of the government recommending bodies for security, encouraging it or stating it as best practice or it’s highly recommended,” he added.
The CISO/CIO and passwordless
Security is important. “we need to be as strong as possible to be phishing resistant and as preventative as possible. Zero trust is another example of trying to prevent bad things from happening as much as possible. But adoption is key, said Schomburgk.
He suggested starting with organisations that require the highest level of security and giving them the convenience of making it easy to do their job. “It is about this adoption and transforming how they do their business to make it easier. This convenience will then kick in, and it’ll start to filter through,” he continued.
Schomburgk says education is a critical part of the CISOs role to help employees understand that they are doing this for a good reason, but will it be easy for them as well?
“From a CISOs point of view, framing that understanding of the human dynamics, making sure that people understand and are educated on why they’re doing it, and the level of information that must be protected in the organisation. These are all factors that I think can be considered,” he concluded.
Click on the PodChat player and listen to Schomburgk elaborate on options organisations must integrate passwordless authentication as part of their security framework.
- Before we dive into our topic, perhaps you tell our audience what Yubico is all about.
- Please describe the passwordless security landscape in 2022.
- What is driving interest in passwordless security?
- How do you apply passwordless security efforts to the zero-trust initiative?
- Is passwordless security a long way off from becoming mainstream?
- What needs to happen for passwordless security to become part of everyday computing needs?
- For the CIO/CISO in terms of reframing their security strategy to incorporate passwordless security?