As we celebrate World Password Day, companies of all sizes are looking to password alternatives including YubiKeys, Google Titan keys, and biometrics. A Gartner analyst weighs in.
TechRepublic's Karen Roby talks with Gartner analyst David Mahdi about available options for a passwordless future. The following is an edited transcript of their conversation.
David Mahdi: This is definitely a very exciting topic, and it's really very timely given what's happening as we shift the workforce to more remote. Passwords and authentication techniques are being used multiple times a day, and we all know passwords are very frustrating to work with, right? Remembering all of them and just countless amounts of them. We're kind of getting at an end, right?
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
Organizations have been asking us and saying, "Hey Gartner, are there viable options for passwordless authentication?" And in fact, so much so that it was one of our top security trends last year, in saying that, yes, it wasn't a trend for 2019, but it was something that we saw signals in the market where organizations wanted to move away from passwords and to move more toward a world of passwordless techniques. So there's demand and desire, but we're not seeing any ubiquitous solutions that are out there today, but it's getting very promising.
Karen Roby: Talk a little bit about the issues that come up for companies and employees, and the use of passwords.
David Mahdi: Of course there's password complexity, right? There's this notion that the longer the password is and the more characters we have, yes, we know against things like brute force attacks and dictionary attacks that can really thwart some of those attacks in many ways. But you also have to think about, "Well, what kind of damage are we going to do to our employees just in terms of putting more stress on them in having to manage all of these passwords?" So there's a huge usability problem here, and that is the primary notion that many clients come to us and say, whether it's a bank or it's an enterprise, they're really worried about that cognitive load. And I think one of the things that we see and we all know, is the sticky notes where you'll write passwords down, because we're just not built for that. We're not meant to memorize passwords, let alone for the hundreds of websites that we also have in our personal lives, too. So we have to deal with this. And frankly, the sticky note password thing is a coping mechanism, really.
SEE: A passwordless future: How security keys and biometrics are taking over (TechRepublic)
Karen Roby: We are all guilty of the sticky notes, I think. Talk about some of the passwordless options available.
David Mahdi: That's a great question and certainly one that I'm very excited about. There are a lot of options that are coming. I'll show you, this is on my car keys. I've got a couple of varieties of these Google Titan keys. This one's got a USB, standard USB. This one is a Bluetooth token. It's wireless, which is great, and it's still a Google Titan key. And then these ones are fairly popular, too, these YubiKeys from Yubico, which this one's also USB. You can get different flavors with USB-C.
This really does help in eliminating the password, where a user can stick in one of these tokens, you put your thumb on it, and it essentially activates and allows you to log in. Now there's a pin that's usually associated with it, but that can really help. And that's one method, that I think a lot of organizations had the traditional RSA tokens many years ago or those one-time passwords, and many folks thought tokens were going away. But Google came out a few years ago and said, "We didn't have any successful phishing attacks against us, Google, because we were using those types of tokens." All of their employees would use those. That's really interesting.
SEE: Security Awareness and Training policy (TechRepublic Premium)
But there's other methods as well. Biometrics. When we saw Apple launch the iPhone 5 and they included, I believe it was the 5S actually, and actually I have one here. They included the touch ID, right? This was the first one to include touch ID. And then, of course, we've moved on to facial recognition, iris, and so on. And then we also have, with Microsoft devices in Windows 10, Windows Hello, which is very promising, not only for personal but also for enterprises, because now we have built within Windows 10 the ability to leverage biometrics. These are options that support a passwordless authentication framework.
But still the challenge remains where I could have my iPhone, my Google Pixel and my Surface laptop and all of them have biometric options. But how do you manage those? They allow for a passwordless future, but it's really tough to bring all those together right now under one hood. And so that's the next hurdle we need to get over. But we're really starting to move in that direction with those options. Biometrics, tokens, and the last I'll say is just the devices themselves having built in hardware. I'm sure if you hear the lingo from Apple, they'll say secure enclave and others talking about trusted execution environments, or trusted platform modules. All of these coming together helps us set the foundation for a passwordless world. But we're not there yet.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Kubernetes security guide (free PDF) (TechRepublic download)
- Information security policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)