Evolving Beyond the Password: Vanquishing the Password

The first article in this two-part series explored ways to improve multifactor authentication (MFA) and boost adoption. This story takes a look at how organizations can apply more advanced passwordless MFAs and genuine passwordless systems.

It will not be easy to get to passwordless, but the concept is finally gaining momentum. Although several vendors have been offering password-free MFA and genuine password-free technology for a few years – mostly for corporate use – a more comprehensive framework is now taking shape. Apple, Google and Microsoft have jointly agreed to introduce password-free in earnest.

For example, in a few months, Apple will introduce passwords that completely replace passwords used to log in to websites. The framework, based on the FIDO Alliance standard, uses biometrics such as Face ID to generate a unique, encrypted digital key found only on the device and in an encrypted keychain used for other Apple devices, including iPhone, iPad, Mac and Apple TV. This makes it impervious to phishing and other forms of data extraction.

In 2020, Microsoft turned to biometrics for approval in Windows 10 and Windows 365 – and the company is also expanding without a password for websites. In addition, all three companies add the ability to transfer this identity data across approved devices and systems. In the past, switching phones or other devices typically meant reinstalling credentials – a time-consuming and annoying task.

In addition to incorporating biometrics and other security mechanisms into their operating systems, they introduce three major software development kits (SDKs) that companies can use to build password-free websites. As a result, it will soon be possible for consumers to start dropping passwords for compatible websites and services. Like Apple’s passkey, a cell phone or other registered device authenticates the person and then sends the request to the server without sending the biometric data.

“Where the big suppliers lead, everyone else follows,” says Don Tait, senior analyst at Omdia.

At the heart of this transformation is the FIDO Alliance. “It’s a classic example of the impact of consumerization on technology,” adds Rik Turner, senior analyst at Omdia. “When people start using tools in their private lives, they start seeping into the workplace.”

A question of identity

Security experts say the first step in building a better authentication framework is to stop using outdated methods like secret words and one-time codes to verify users. Even push apps are vulnerable to exploits. For example, crooks who gain access to a corporate network or MFA system may generate false authentication requests that someone can approve in a moment of distraction or inattention.

Even very secure YubiKeys and other U2F tokens are not exempt from vulnerabilities and solutions. For example, if a user forgets the key or for some reason can not use it, the typical solution is to return to a text code or a less secure form of MFA as a backup. At that time, even an ultra-secure digital token could not provide protection.

A deeper and broader use of biometrics and user verification methods, including presence-based authentication and behavioral or activity-based models, is key. This includes the use of the WebAuthn FIDO protocol, which provides an API that supports strong, public key cryptography registration and authentication. It can be combined with a continuous authentication method that reverifies the identity of the session through a persistent token.

Several companies, including Beyond Identity, Veriff, 1Kosmos and Jumio, have taken this type of approach. They rely on FIDO standards related to biometrics, along with a very secure method of proof of identity. Typically, they ask users to provide a document such as a driver’s license or passport, which is securely stored in an app on the device. A selfie or face scan ensures that everything matches and authenticates the user.

For example, Veriff, which operates in 190 countries, in 35 languages ​​and with 8,000 IDs, runs an online blockchain-based identity verification within seconds. It uses an AI-supported decision engine that incorporates real-time feedback through a document check, biometric scan, face comparison, background video and device and network analysis. Financial institutions, healthcare providers and others using the technology can also reduce fraudulent accounts and fraud.

“This creates a barrier that is much harder for an intelligent and determined bad actor to get around,” says Kalev Rundu, senior product manager at Veriff. “People today are much more willing to use biometrics for authentication, but they are only ready to do so if they get real value back and they can maintain control over how and where their data is used.”

Forward thinking

The transition to password-free MFA and true password-free is still a slow march. For now, advanced authentication is more viable in the enterprise, where it is a closed and controlled environment. Michael Engle, co-founder and CSO of the provider of MFA solutions without password 1kosmos, estimates that 80% of passwords can be eliminated almost instantly with the right strategy and tools.

So far, Omdia analysts recommend Tait and Turner to migrate to password-free MFA without delay. The framework not only delivers a better and more secure customer experience, but it can also drive revenue growth, they claim. In addition, it is wise to phase in genuine passwordless systems and build on them through the FIDO Alliance as well as through Apple keys and the corresponding passwordless systems at Google and Microsoft.

Along the way, it is also important to educate customers and employees about password-free authentication and ensure that people understand that their biometric data is being used as their gateway to apps and the Internet. The combination of better UX, incentives and more streamlined processes can, in the long run, increase security, improve trust and reduce security costs.

Says Jasson Casey, CTO of Beyond Identity: “Ultimately, the goal is not to remove passwords, even though it is a noble affair. It is to create better security and a more secure computing environment for everyone.”


Leave a Reply

Your email address will not be published.