The evolution towards being able to operate without passwords is being driven by two factors: BYOD and standards.
Speaking on a Cisco webinar, advisory CISO J. Wolfgang Goerlich said while we have to wait for “robots and flying cars,” he could see a world with reduced reliance on passwords. He said the consumer typically drives the experience that they expect in the workplace, and consumerization has enabled users to become more familiar with the technology they use.
Goerlich also praised standards, in particular from the FIDO Alliance, on “what a good passwordless token looks like.” He said there is a lot of confidence in standards and development in strong factors, is still paired with a password to make it easy for people to get in. “So in a passwordless world, they throw in a username and complete a secondary factor of authentication without having to enter a password, and then they don’t have to remember things or rotate things,” he said.
Citing Cisco statistics, Goerlich said the average user has 191 passwords, “so the ability to move off of those is something we’re very excited about.” He said the “pieces have come together” and CISOs are integrating a passwordless concept with their roadmaps.
Fellow advisory CISO for Cisco EMEA, Richard Archdeacon, agreed CISOs are beginning to look at passwordless as an option, and are looking to see if this can work at an enterprise level. “It achieves two ends: it improves your security; and it makes life easier for people, and if you can make life easier when you’re in a security team, that is a real plus,” he said.
Goerlich also made the point that CISOs often think about how to increase trust in passwordless authentication, and how fraud can be combatted if passwords are disused. He recommended using targeted machine learning to enable logins, as well as zero trust strategies. He said: “I think there is a lot that has to be considered when we talk about the next step, making it scale to the enterprise and really how we secure that passwordless future.”
Wendy Nather, head of advisory CISOs, said what is making this possible is we have more secure enclaves on phones than before, and more trusted processing modules on laptops, “where cryptographic functions can be manipulated securely without any inference from the user or any attacker who might be on the laptop or the device.”
Nather said that using the FIDO standard, a “shared secret” can be created, which is a parent key, and use it to authenticate to the phone using TouchID or FaceID, and the secure enclave would log you in, without the user having to do anything. “From my perspective I wouldn’t have to put in a password, I would just log into my phone with my fingerprint, and then the phone would do the rest. This is one way we are making passwordless a reality.”