Friday, 22 January 2021 13:24

Moving towards a passwordless future

By Matthew Heap, Vice President, Digital Major Accounts, Australia and New Zealand, Entrust

GUEST OPINION: Reports suggest that cyber criminals have been more active than ever during the global pandemic, seeing the state of general upheaval as an opportunity to evolve and find new attack vectors.

Indeed, the months between April and June 2020 saw a 65 percent increase in cybersecurity incidents. While the dramatic rise to remote work has opened up new opportunities for flexibility and productivity for enterprises, the shift of work outside of enterprise-grade firewalls, logical access control and network security leaves both individuals and organisations exposed to greater risk.

One of the biggest risks continues to be the password. Bill Gates suggested over a decade ago that the password should become redundant. Yet the vast majority of digital assets still have their access controlled by passwords. Consider:

• 80% of hacking-related breaches that “leverage stolen and/or weak passwords” are caused by compromised passwords, per the 2019 Verizon Data Breach Incident Report
Google found that 65% of people reuse passwords across accounts.
• 2.7B email/password pairs were exposed in the Collection 1 breach alone – and that was just the start.
• In recent times, phishing for passwords is one of the primary ways that bad actors gain access for the purposes of planting ransomware.

People choose simple passwords they are likely to recall easily and use the same one across a multitude of devices and platforms. But this vulnerability suggests that the password needs to be replaced by a safer, more efficient solution for digital access.

The inherent vulnerability of the password approach

Beyond the obvious cost of data breaches, passwords are inefficient in other ways. Having unique passwords for every access need – changed regularly – is a security best practice, but a drain on productivity – whether due to the time and frustration of entering passwords across applications or devices, or delays for recovery of forgotten credentials.

Solutions for logical access control without passwords have been touted as safer and more convenient than the use of physical passwords. Biometrics, for example, might use fingerprint scans rather than relying on a user inputting a password. However, the scan still relies on a repository of passwords elsewhere in the system, with the biometric scan just replacing the physical part of entering the credential. It provides a gateway to unlock the password repository, which can still be breached and is therefore still a risk factor for enterprise security.

In fact, any solution that stores passwords in a central repository, and relies upon employees or individuals to enter their credentials into a machine to access and unlock a system, is inherently vulnerable. All it takes is one credential to become compromised, and the system is at risk. In a worst-case scenario, the central repository itself is compromised, and hundreds or even thousands of passwords are stolen – leaving a large group of employees, machines and systems vulnerable to cyberattack.

The future of workplace authentication

The solution to this vulnerability is to remove the main sources of risk, both the password itself and the central repository. Decentralising those credentials means that any attack can only take place through one narrow vector: the individual. Shoring up the human vulnerability is now possible through the use of single-sign-on (SSO) with passwordless authentication, which stores highly encrypted and secure credentials on an individual’s mobile device.

Passwordless with SSO works through the use of trusted digital identities, which are created by issuing a secure digital certificate that is stored securely on a user’s mobile device. Think of that as a secure digital ID card stored in encrypted format on a mobile device and unlocked with the user’s biometrics.

When an employee needs to unlock a device or system, they enter their biometric (fingerprint or facial match) and then their digital certificate ‘swaps’ credentials with that device via public key infrastructure (PKI) technology. This means that a secure set of digital keys are created, decoded and swapped between the two devices, ensuring that the user’s credentials are legitimate and that they are authorised to access the device or system they are attempting to unlock. This is all achieved without the use or exchange of passwords, removing that particular vulnerability altogether.

The resulting level of security is also coupled with a more frictionless experience, making the manifold daily transactions between an individual and their digital work tools faster and more efficient.

Between enhanced security, improved efficiency and greater physical safety, there are a lot of positives to take from an integrated passwordless and SSO solution. The cyber safety of an enterprise with a distributed workforce can be improved by adopting this next-generation technology, and moving beyond the outdated use of passwords for access control.

By Matthew Heap, Vice President, Digital Major Accounts, Australia and New Zealand, Entrust.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments