Password less connected workplace – A paradigm Shift
Change is The Only Constant
The shift to remote workplaces driven by the on-going contagion seems to have happened almost overnight. As disruption spread globally, remote work became the new norm for business continuity and resiliency. Organizations are now rethinking how the future workspaces will look.Gartner reports more than 70 percent of CFOs plan to shift to permanently remote positions, and we’ve already seen companies like Twitter, announcing employees can continue working from home indefinitely.
Passwords are often the weakest link in a modern workplace security chain. In fact, stolen credentials are the most frequent entry point for breaches. This identity risk is further enhanced by the current change in workspace and hackers are waiting in the wings to seize the moment.
The current economy thrives on disruption, unless quality services are not delivered and up to date technology is not adopted, one becomes obsolete. Same way passwords have evolved.
Password less Authentication Explained
Any authentication method that does not make the user type passwords can be classified as password less. This is achieved using OTPs, Hardware and software tokens, authenticator apps and biometrics. Adding on, password less authentication with seamless single sign on works very well for enterprises that use a number of published applications. The core objective of password less authentication is to eliminate the use of passwords, passphrases, and other shared secrets. Password less authentication replaces passwords with other methods of identity proof improving the assurance standards and convenience. This has gained traction because of its enhanced login experience for users and overcoming the inherent vulnerabilities of text or secret based passwords.
Password-less Authentication = Something you have + Something you are
Knowledge based Authentication = Something you know + Something you have + Something you are
Impetus to Adopt Password less Authentication
Demand for Cloud: Remote work has triggered the demand for cloud applications to ensure business continuity. But the risk associated to this is poor password hygiene at the cost of user convenience.
Improved TCO: Gartner tells that almost 40% of all help desk requests are related to password reset, and Forrester reports that large enterprises spend up to $1 million on personnel and infrastructure just to manage these requests. Going password less solves this problem to a great extent.
Enhanced user Experience and compliance: Adopting password less authentication provides employees a seamless login experience across all devices and channels without inputting a password and avoid submitting help desk requests for password resets. By allowing employees to securely authenticate using biometrics or other integrations, the user experience is drastically enhanced since there is no need to enter a complex password.
Scalability: Delivering password-less solutions through technology and factors that end users already possess eg: mobile device (biometrics and authenticator apps), Laptops (Windows Hello and fingerprint) makes it easier to deploy.
Control and Clarity: Phishing and credential reuse are the most common issues with passwords. With password-less authentication, the space to phish, share or reuse are void. The wild card entry via identity is blocked.
Password less Standards and Evolving Authentication
The Fast Identity Online (FIDO) alliance was created to offer a secure way for consumers to authenticate to online services. The notion behind FIDO was to separate the actual authentication mechanisms from the authentication process itself, so that authentications could run over a variety of hardware infrastructure, software apps, and digital identity methods. FIDO supports a full range of authentication technologies, including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB security tokens, embedded Secure Elements (eSE), smart cards, and near field communication (NFC).
Continuous and Password less Authentication
Traditional authentication methods allow users to log in an application or a service by creating a web session. The user is then able to perform actions based on granted permissions. The problem with session-based authentication is that it does not consider contextual changes, such as the user moving from a trusted network to a public one while maintaining the same session. Considering all different environments, session-based authentication may not provide enough security and may require a continuous authentication until the user is logged out from the service. The objective of continuous authentication is to continuously validate the user’s identity as he / she carries out tasks within an application, while taking the security and convenience factor further.
Password less Authentication: The way Forward
Each year on the first Thursday in May, World Password Day promotes better password hygiene. Passwords are the front door to our digital identities, allowing us to access online shopping, banking, social media, and private work. Zero Password is not the future. "It’s the need of the hour”. Every year, security incidents continue to occur due to account compromises and the causes are well known. The most relevant of them is credential stuffing which accounts for approximately 80 percent of the attacks.
While it is critical to build out a long-term strategy for authentication practices, industry experts concur that the next digital breakthrough will be password less authentication. This offers three key advantages over traditional, knowledge-based authentication. First, it increases revenue and lowers costs. Second, it makes sense from a customer perspective, provides a better user experience. Third, from a strategic point of view, it can help reconceptualize market contention by unlocking value from interoperability and be platform independent.