Passwordless authentication “is an aspiration and not necessarily a destination,” said David Mahdi, senior director analyst at Gartner during the Gartner Security and Risk Virtual Summit. This is because many organizations are still reliant on legacy technology that does not necessarily support passwordless authentication.
Nevertheless, a gradual move in this direction as new technologies like SAAS-based applications are rolled out is something that organizations should be looking at in order to reduce the risk of breaches occurring. Mahdi noted: “Bad actors keep going after passwords and it continues to be problematic,” adding that “in breach after breach, identity is being leveraged as one of the main surfaces to get in and target a vulnerability, or conduct attacks like phishing.”
The poor usability often associated with traditional passwords also “leads users to cut corners,” according to Mahdi.
So what alternatives should organizations look to introduce that offer greater usability and security?
In regard to single-factor options, Mahdi outlined the importance of ensuring such methods provide the same flexibility as usernames and passwords, which can be used on any device. One important method that can be used in this category are tokens: these include QR code scans via a mobile app, out of band SMS and FIDO2 security keys. “These tokens are handy in that they are portable, so whether it’s contactless or the right USB interface, I can interface to the multiple devices I have and under the hood it’s using public key cryptography to achieve that authentication and security,” explained Mahdi.
Biometric authentication technology has grown in significance over recent years, ranging from face, to voice and retina scanning. Mahdi highlighted that attempts are ongoing to enhance the convenience of this form of authentication further, such as ensuring it can work even when part of your face is covered. “Certainly biometric methods have really increased and they’re quite ubiquitous,” he added. “They will help in that fight against passwords – they really are an enabling mechanism.”
There are also a number of multi-factorial authentication (MFA) options that organizations should be considering, which are particularly secure but continue to provide usability. A major type is PIN protected and biometric-enabled smart cards, often utilized across highly sensitive organizations like government departments. “These cards really bring together what you have, because of the card, what you know, because of the PIN, and sometimes you can have biometrics tied in, so what you are as well,” said Mahdi.
Finally, Mahdi discussed zero-factor alternatives, which are based on multiple recognition signals that people use such as geo-location, instead of requesting that a user actively does something. He commented: “These can be really passive and can help in balancing usability and security.”
While not impenetrable, Mahdi believes these passwordless forms of authentication have the potential to substantially enhance security and productivity in organizations in the future. “If employees can access their services faster with higher security, it means they’ll be able to access more content, more services and do it in a very effective and seamless way,” he concluded.