Passwordless authentication could cure user verification ills
Connecting state and local government leaders
As compromised and weak passwords continue to create major, ongoing vulnerabilities, organizations are looking at FIDO-based login options.
Easy-to-guess and mismanaged passwords are still at the heart of many security issues government agencies face, and it may be time they consider passwordless authentication.
Experts warn that adopting the technology can be expensive and may face resistance among employees who rely on traditional login options, but it may offer the most secure login alternative.
The idea of going passwordless, using either biometric scans of a person’s face or fingerprint or a physical token like a smart key or card to access IT systems, is nothing new. For years consultants have said that the technology is evolving in such a way to make passwords “obsolete.” But there is a renewed sense of urgency among many, especially those who see compromised and weak passwords as one of the major, ongoing vulnerabilities for public and private sector organizations.
“Every single major breach you still hear about, I can guarantee starts with compromised credentials,” said Dean Scontras, vice president of state and local government and education at identity management firm Okta. “It seems like a really easy fix …[but] I think until we get that lowest common denominator fixed, as they call it, then we’ve got to keep talking about it.”
One factor behind the growing momentum for passwordless authentication is the standardization of security protocols led by members of the Fast Identity Online (FIDO) Alliance, which promotes free and open authentication standards that are less reliant on passwords. The group counts some of the world’s biggest technology companies as well as financial firms and telecommunications companies among its members.
FIDO’s protocols use standard cryptography techniques to pair a user’s device with public and private keys, with the user only able to unlock access to a device by, among other methods, swiping a finger, entering a PIN number or inserting a card or token for second-factor authentication. The alliance said its protocol protects user privacy by not letting biometric information leave the device, while the protocol does not provide information that could be used to track users.
Now in its second iteration, FIDO standards show that passwordless authentication is gathering momentum, observers say. Fran Rosch, CEO of digital identity management company ForgeRock, said the integration of FIDO in cell phones by the largest tech companies in the world shows that the technology has “crossed the chasm” into wider acceptance.
“We as consumers have gotten more and more comfortable with using biometrics to unlock our phone or to unlock our bank account,” Rosch said. “Technologically, while that capability has existed for several years now, it's really been unlocked through the adoption of these open standards. That's why we're seeing people really move to this now.”
Despite the advantages, changing an organization’s culture to accept new authentication processes could be challenging, especially for employees accustomed to usernames and passwords.
Sam Rehman, chief information security officer at software company EPAM Systems, said organizations could “soft launch” passwordless identity management, much like they did with transitioning users to multifactor authentication, even as some “kick and scream” about it, he said.
Beyond the culture change required for going passwordless, others noted that it may not be the right path to pursue. In an email, Nelson Cicchitto, chairman and CEO at identity management software company Avatier, said that if enterprises rely on several vendor cloud providers, it “may not be practical” to ask them all to switch to passwordless if they currently use standard credentials.
Rosch said it can also be difficult for organizations that rely on legacy technology and applications written decades ago. He gave the example of a banking customer, whose tellers had to interact with 25 different applications to complete the various tasks associated with their jobs, with all those applications needing separate login credentials. Passwordless solutions must integrate with all those applications, which Rosch said is a “productivity improvement” but a big lift.
The move to passwordless, as with the shift to MFA, should be viewed as an ongoing “journey” or “movement” to protect users’ identities and to keep organizations secure, Rehman said, Given the intensifying cybersecurity threats, he said passwordless authentication is not a “silver bullet” but can help make security more “robust” for at least the next decade.