Is the Future of Cybersecurity Passwordless?

Passwords are deeply ingrained in all aspects of our digital reality. In 2020, NordPass estimated that the average person had 70 to 80 passwords. And yet, password compromises and shared secrets remain the number-one cause for hacking-related breaches. Now, with the COVID-19 pandemic driving the rapid shift to remote work, coupled with the cybersecurity pressures following a slew of significant cyberattacks in 2020, the urgency to move away from passwords has never been greater.

Organizations are being forced to look closely at password authentication, specifically asked to justify the costs associated with password support, reevaluating the impact on user experience and, most importantly, justifying whether the password is truly doing what it is intended to do – protect the organization from an online attack. Most quickly realize that, no, passwords are antiquated, are a major cause of frustration and, ironically, are risk drivers.

Today, organizations are moving towards passwordless authentication; using advanced technologies such as biometric signatures, hardware tokens, cryptographic keys or PINS to verify users. In a recent report by LastPass, 92% of businesses believe passwordless authentication is the future. In May 2020, Microsoft said more than 150 million people were using passwordless login on Windows every month.

Despite questions around the future of the password, 85% of IT professionals surveyed do not think passwords are going away completely. Yet, over 92% believe that delivering a passwordless experience for end-users is the future for their organisation. The answer to the password predicament is simple: rather than eliminate passwords completely – change the way we interact with them. This is where passwordless authentication comes in.

One Passwordless Login, Many Identities

User authentication and identity have always been tightly coupled together, but that’s rapidly changing. Users have numerous login methods to choose from, while their service providers struggle to maintain multiple identity stores. More than two-thirds (65%) of respondents already use or expect to have multiple identity providers in their organization. Identity fragmentation has been a pain point for businesses, and modern passwordless authentication presents an interoperable solution for simplifying the login experience. This observation fits well within the broader trend of organizations decoupling authentication from identity providers in an effort to reduce identity turmoil and MFA fatigue.

Smartphones and Standards

Seventy three percent of respondents believe smartphones are the most convenient method of authentication, while a whopping 94% want to take a standards-based approach to eliminating passwords. When considering how many proprietary passwordless approaches are out there, it is encouraging to see the emphasis on interoperability. In early 2020, Apple joined category leaders such as Google, Microsoft, Samsung and Mastercard as Fast Identity Online (FIDO) board members. In doing so, Apple made passwordless authentication capabilities accessible to billions of iPhone users by implementing FIDO standards across its iOS and Safari ecosystems.

Is the Future of Cybersecurity Passwordless?

How would passwordless logins work?

A passwordless login experience means that while passwords may still exist in the IT infrastructure, the employee will not have to manually enter a password during their login. It brings several benefits such as reduced IT costs by eliminating password related risks, increased productivity amongst employees as they save time on remembering and/or changing passwords, and stronger security by guarding every access point with more secure forms of authentication. However, moving into a passwordless approach requires choosing and implementing the technology that fits your organisations’ needs. Some of the methods to choose from are:

Implementing single-sign-on (SSO) can help secure and simplify managing access no matter where employees are located. Through a protocol – such as Security Assertion Markup Language (SAML) – SSO establishes a secure line between an identity provider and a service provider, meaning it creates a link between where IT manages employees access information and the application users want to login into. SSO allows for employees to reduce the number of passwords they must remember or update, boosting their productivity and minimising the risks associated with credentials.

Enabling multi factor authentication (MFA) provides IT teams with the tools to manage access at the individual user level, defined groups or even by job role. MFA considers a multitude of factors such as location, IP address or biometrics (face ID) versus only one factor – such as a password – prior to granting access to an application. By prompting a user for additional information when logging in, IT can be confident that the person requesting access is indeed who they say they are. It also streamlines the process for the final user that will have a faster and easier login experience.

Behavioral Biometrics

Enter behavioral biometrics, the authentication method that will make logging in more secure and efficient than ever. With behavioral biometrics, your password is no longer a what. It’s a how.

It’s the number of milliseconds between your keystrokes. The amount of pressure your fingers apply on the keyboard as you type. The geometry of micromovements you make as drag your mouse. The exact angle at which you hold your phone. The dozens of other identifying and quantifiable little patterns that you’ve developed throughout your life.

All calculated against your unique behavior profile established over a period of time. All done by an app in the background, without you having to do anything extra, like enter a set of numbers or pose for a face ID. Sounds like the future? You bet it does.

And so far, behavioral biometrics looks impossible to replicate. Which is what makes so many businesses and government institutions eager to adopt this new technology, especially in the banking and retail sectors.

Is behavioral biometrics secure?

So far, the short and simple answer is “yes.” And when it comes to the why, the magic buzzword is “dynamic.” As opposed to static authentication methods like passwords, retinas, or fingerprints, the many data points that make up your behavioral patterns are regularly updated to match your constantly evolving user profile. This means that whatever data attackers manage to steal from you will be instantly rendered obsolete because you never enter your password in a carbon-copy identical manner twice.

Needless to say, all of your biometric data is also encrypted during both collection and verification, adding another layer of security to an already seemingly watertight authentication technique.

Is behavioral biometrics 100% impenetrable? Probably not. After all, two-factor authentication (2FA) and traditional biometrics were also hailed as bulletproof for years. And look how that turned out. With that said, behavioral biometrics has one undeniable advantage over other forms multi-factor authentication: convenience. Everything’s done passively in the background, so there’s no need to break your routine in order to secure your authentication. And as we all know, convenience is usually the difference between actually embracing positive change and repeatedly putting it on your new year’s resolutions list.

What the Future Holds for Identity Security

While the login/password credentialing system has its merits and will surely be an option for years to come, it is gradually becoming obsolete. New technology is guaranteed to overtake this system, and will most likely consist of a combination between biometric and shared authentication methods. Additional multi-factor authentication may be involved, or be used in cases of possible identity theft, in order to produce multiple layers of security that are both secure against attack and convenient for the user to access.