Passwords have been the gold standard in computer security for decades, but they have an obvious problem: If someone gets your password they can access all of your personal data.
With all of us still using passwords in our daily lives it’s hard to see passwordless security as a readily available technology, but it is. Companies like Ping Identity, RSA, Okta, Microsoft and Duo all offer their own passwordless platforms for enterprise customers, each designed in its own way to be intuitive and almost consumer-like in its user experience.
SEE: Security incident response policy (TechRepublic Premium)
Founder and CEO of Ping Identity Andre Durand predicts a time three to four years in the future when passwordless security will become the norm, but only once friction is eliminated without sacrificing security. Durand spoke with TechRepublic’s Bill Detwiler for an episode of Dynamic Developer about how identity and access management is changing software development and “what it will take for us to reach a passwordless world.”
Durand said that there’s a lot of talk surrounding three factors of identity verification: Something you know (a password), something you have (a phone to receive an SMS code) and something you are (a biometric form of security). “If you have all three of those factors then security is strong. We don’t need to rely on those three factors anymore—there are N factors we can use,” Durand said.
What Durand is referring to are what’s known as “passive signals,” which he describes as “how we can recognize someone without any explicit user action.” These include things like user behavior, atypical web traffic, IP address, physical location, and anything else that tips an authentication system off if a user is deviating from typical behavior. Think automated credit card notification from banks: Go on vacation and make a purchase and you’re sure to get a call from your bank to verify it’s a legitimate charge.
Passwordless security that’s truly frictionless will include a mix of explicit multifactor authentication like biometric verification, and passive signals that determine whether a user needs to provide an additional level of verification to ensure they’re them, Durand said.
Passwordless solutions are available today
Ping Identity is one organization offering passwordless security, which it describes in similar terms to Durand’s—frictionless. Looking at passwordless security as a destination with many steps, Ping centers authentication on a single point where risk-based MFA and FIDO login keys are used as different levels of verification.
RSA offers SecurID as its passwordless platform and uses a similar mix of MFA and FIDO to verify user identity. It also advertises its process as a series of steps that mix passwords and passwordless authentication before reducing reliance on passwords as time goes on.
Okta’s passwordless authentication solution is centered on “delighting and securing users,” saying it can cut authentication time by 50%, reduce password management operational costs and eliminate risks from phishing and credential stuffing.
Far from letting the decline of on-premise Active Directory installations slow it down, Microsoft has released a passwordless authentication product as well. Microsoft’s passwordless system is integrated directly into the rest of its products via an Authentication Methods admin page in Azure.
Duo’s passwordless product uses similar solutions to the others mentioned above. Duo describes the passwordless security world in no uncertain terms by describing it as “modern authentication,” and that it enables frictionless logins as well as reducing administrative burdens and security risks.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
The choice of passwordless solution may be up for debate, but what isn’t is the necessity of moving on from the password altogether. A statistic from Verizon’s 2021 Data Breach Investigations Report cited by several passwordless vendors said that 61% of security breaches can be attributed to stolen credentials. To read that another way, there’s no good reason not to consider passwordless security if it could reduce your chances of being breached by 61%.