Beyond Passwords: Identity Access Management in the Digital Age
Introduction:
Passwords have long been used to confirm one’s identity in the digital world. However, with increased cybercrimes, phishing, and security threats the password has undergone significant changes to stand up to the threats posed by hackers. The initial response was to use complex passwords as simple ones are susceptible to hackers who use dictionary attacks to figure those out. The password has evolved from having 8 characters, to larger strings including alphanumerical and special characters, to 2-factor authentication as an add on, to finally becoming passwordless or obsolete. How effective is passwordless authentication? What are the challenges in biometric technology? Are there other factors, other than biometrics, that are part of the human identification or authentication process which need to be considered while verifying one’s identity?
Why Are Passwords Not Secure?
Research shows that there are two kinds of people when it comes to passwords: those who use the same username and passwords for all accounts and those having to remember too many usernames and passwords. Clearly, the password is not an efficient method to secure sensitive information for both kind of people. Passwords are more of a threat than a security as most cyber attacks are aimed at stealing credentials through phishing attacks, credential sniffing, and keylogging attacks. Poor password practice makes it easier for hackers to access sensitive data. Research confirms that most people reuse passwords, rotate them, or add a digit to them. Passwords fail for the following reasons:
They are not complex
They are not unique
They follow patterns
They are easy to crack
User password is already leaked in the dark web as its susceptible to high hacker activity on variety of public facing systems
How about Multi-Factor Authentication or Single Sign-On?
Multi-factor authentication (2FA/MFA) adds an additional layer of security to the password by requiring one to authenticate the password with information that one may know, have, or is. Acceptable credentials usually include a password or PIN (something one knows), a smart-phone or token (something one has) or a fingerprint (something one is). For 2FA, credentials need to come from two sources: 1) from the username and password 2) from an authentication code sent to your mobile device. The idea behind 2FA even if hackers access your credentials, they will not have access to your phone. Is 2FA the solution for secure authentication? While more secure than a password by itself, 2FA is not foolproof as:
2FA does not address the core password problem. In addition to remembering the password, users now have to manage the additional layer of security.
With different applications using different 2FA, users will have to juggle with different authentication methods (e.g., authenticator applications, SMS)
Sophisticated hackers can intercept or spoof 2FA
How about going Passwordless?
With the failure of passwords being able to fully protect sensitive data, industry leaders are exploring passwordless options for securing information. Passwordless authentication requires the customer to log into their account using a trusted device and PIN or fingerprint or facial ID, which is then authenticated by the backend server. When Passwordless authentication succeeds, it uses a public/private key pair and gives the user access to their account. Some Passwordless technologies include:
Windows Hello for Business (WHfB): Introduced in 2015, WHfB provides passwordless authentication to Active Directory, Azure AD and standalone Windows machines. Out of the box WHfB supports face, iris and fingerprint recognition, and local PINs.
FIDO: The Fido Alliance was founded in 2012 to create authentication standards to help reduce the world’s over reliance on passwords. FIDO Universal Authentication Framework (UAF) and the FIDO2 specifications provide a foundation for widespread adoption of passwordless authentication.
Phone-as-a-Token: Frequently used together with passwords to support multifactor authentication (MFA), phone-as-a-token authentication recently spread to passwordless scenarios. Mobile push and mobile OTP provide best trust and UX.
Biometric Authentication: Biometric authentication uses unique biological or behavioral traits to corroborate users’ identities. Biometric authentication has been an alternative to passwords for many years, but historically adoption has been low.
Certificates and Smart Cards: PIN protected and biometric-enabled smart cards are rated high for providing trust. Smart card authentication is common in government and military applications and in regulated industries.
There is a pivotal need for Identity Access Management solutions with the prevalence of the idea of “identity as the new perimeter”. Organizations, businesses, contractors, and customers are increasingly desiring secure access from multiple platforms. With the threat landscape changing continuously, it is vital to ensure that the right people gain access to valuable resources. Security experts must continuously investigate how and where passwordless technology can become a part of their Identity and Access Management program.
Benefits of Passwordless Solutions
Here are some benefits of going passwordless.
Saves the user the effort of remembering passwords while mitigating data breach by shifting focus from the password to biometric, phone/security key/ smart card authentication.
Password hacks will diminish as hackers will have to perform complex hacks to breach data with passwordless solutions. Passwordless solutions are based on new technology that uses PKI/Private/Public key pair which is more secure than passwords.
As more users are connected to their mobile devices, passwords are becoming obsolete; passwordless login is becoming a more relevant and secure option. Please contact Makpar by sending an email to info@makpar.com if you want to discuss how to protect your agencies’ sensitive data by transitioning to a passwordless authentication solution.