From passwords to passkeys: A guide for enterprises

Spread the love

[ad_1]

Watch all on-demand sessions from the Intelligence Security Summit Here.


Passwords. We use them every day. We love them and hate them. We are constantly frustrated by them — we come up with and remember the requisite string of upper and lower case letters, numbers and special characters.

Simply put, “passwords are weak and user-unfriendly,” said Gartner Senior Director Analyst Paul Rabinovitch.

And they are the biggest security risk: 81% Hacking-related breaches involve the use of stolen and/or weak passwords.

68% recognize that passwords are the least secure method of security and 94% are willing to take additional security measures to prove their identity. At the same time, more than half of us use passwords regularly.

event

Intelligence Security Summit as required

Learn the critical role of AI & ML in cyber security and industry-specific case studies. Check out the on-demand sessions today.

 

See here

Whether it’s habit, reluctance to change or just plain indifference, passwords are ingrained – but experts say we need to break the habit. It is worth noting that many people in the security sector insist Passwordless authentication Methods and Application Passwords — and some consider these the industry standard.

“Basques have made significant progress in the identification and defense industries,” he said Ralph RodriguezPresident and CPO at Digital Identity Foundation Dan. “They are a more secure alternative to passwords, especially at a time when cyber threats are on the rise.”

Passkeys: Moving towards widespread adoption

A form of Basques No password Identity security enabling FIDO2 authentication (set by standards FIDO Alliance, which is dedicated to reducing trust in passwords). Industry giants including AppleMicrosoft and Google The FIDO Alliance and the World Wide Web Consortium have recently supported Basques.

This authentication method uses cryptographic keys and stores credentials for multiple devices in the cloud, Rodriguez explained. Users associate a password with cloud-based credentials that are securely stored and encrypted on their smartphone.

“Basques eliminates the need for passwords, and enables secure and fast account authentication,” said Rodriguez. They can be integrated with existing applications and can significantly reduce the incidence of identity theft and phishing attempts.

Eventually, they will become the industry standard, Rodriguez predicts, and adoption by multinational corporations will help promote their widespread use.

“Enterprise use of Basques, especially in industries responsible for financial and personal data, is a huge step in the right direction,” said Rodriguez.

But really, is this the end of passwords?

As passwordless authentication methods challenge users to use alternative credentials, Rabinovitch said, they will further reduce — and possibly even eliminate — passwords.

Now, organizations can have multiple applications relying on passwords in the same directory. But as these applications transition to password-less authentication, “one day the password may not be necessary,” he said.

If or when this point is reached, passwords can be completely disabled in a directory (now, a few directories and identity services allow administrators to do this). In some cases, administrators can set passwords to a random and secure value that is not shared with the user, “effectively removing the password from the entire user experience,” Rabinovitch said.

As he noted, creating and remembering a good password is hard (even harder if you have too many). Also, if you forget one or it gets compromised, you need to go through the password reset process. While many organizations use self-service password reset (SSPR), administrator-assisted password resets can be expensive: $15 to $70 per instance.

Still, all apps rely on passwords, and users “want to hate them,” Rabinovitch said.

Therefore, new authentication methods and new processes for acquisition, registration, day-to-day authentication and account recovery must be carefully designed.

As with anything, there are pros and cons

Passwords are a safer, faster alternative to passwords, and their ability to transfer credentials between devices makes account recovery faster and easier, Rodriguez said. For example, if a user loses their phone, they can recover the passcode and use it on another device.

“(Passkeys) can help consumers break the habit of using passwords when used with user experience (UX) in mind,” Rodriguez said.

However, he points out that they may not be appropriate for all business situations or government agencies that must follow the National Institute of Standards and Technology (NIST). guidelines. This also applies to highly regulated industries, such as financial services, where compliance requirements vary by country or region.

Also, PASS keys are not as robust as other FIDO standards, which use biometric authentication methods such as voice, touch and face recognition, Rodriguez said. Passwords cannot be used for transactions with financial institutions due to Know Your Customer (KYC) standards implemented to protect financial institutions against fraud, corruption, money laundering and terrorist financing. They cannot establish users’ identities; If implemented, they could increase artificial fraud.

He said using passwords alone for financial transactions could pose some risks, and additional biometric authentication should be considered.

Because regulators have yet to accept the use of a single passkey to meet the security standards required in highly regulated industries such as banking and insurance, at least for now passkeys must be combined with another authentication factor.

“The number of factors involved in approval is ultimately a decision made by the business or organization, but consumers and end users will have a say in the matter,” Rodriguez said.

Conclusion – Be everything, not everything

“Not all passwordless authentication methods are created equal,” Rabinovitch acknowledged.

“All methods suffer from some security weaknesses,” he said.

For example, one-time passwords (OTPs) delivered via SMS and voice are not as secure as two-step or multifactor authentication (MFA), he said. Therefore, they should only be used in very low-risk applications.

Similarly, mobile push and local device authentication suffer from “push bombardment” or “push fatigue,” he pointed out. Bad actors can exploit this, prompting an app to bombard users with push messages they eventually accept.

Also, while FIDO2 has very good security properties — it’s anti-phishing, for example — it doesn’t address ancillary processes like user credential registration security or account recovery rules. This may provide a weak link. Therefore FIDO and all other authentication methods must be carefully designed.

Support for FIDO by authentication and access management vendors is nearly universal. Some current vendors generally limit themselves to FIDO2, but some — including Microsoft, Okta, RSA, and ForgeRock — support additional authentication methods. These include Magic Links (where users log into an account by clicking a link emailed to them instead of typing in their username and password) and biometric authentication.

A growing number of password-free experts – including 1KOSMOS, Beyond Identity, HYPR, Secret Double Octopus, Druzona, True and Veridium – support many enterprise use cases.

FIDO2 is “very promising,” but its adoption has been hampered by the unavailability of smartphone-based roaming authenticators that enable smartphones to be used as a companion device to users working on PCs. However, that will change with the introduction and standardization of Basques, Rabinovitch said.

A step-by-step password-free evolution

Moving forward, some application architectures will facilitate passwordless authentication, as identity providers/authentication authorities may — or will soon — support passwordless authentication.

However, “for traditional password-based applications, it can be slow,” Rabinovitch said. He pointed out that many new SaaS applications still take a password.

Ultimately, “it’s going to be a gradual process,” Rabinovich said, “because passwords are so entrenched.”

The work of VentureBeat Digital City should be the go-to place for tech decision-makers to gain knowledge about transforming enterprise technology and transactions. Discover our abstracts.

[ad_2]

Source link

Leave a Comment