Passwordless security gains ground

Marko Geber/Getty Images

 

Connecting state and local government leaders

Government mandates on passwords and shifting authentication policy could accelerate the adoption of smartphone-enabled passkeys.

As state and local agencies look to limit compromised and weak passwords and improve identity management, some are considering passkeys, which take advantage of the security features built into smartphones for authentication.

The passwordless technology lets users access sites or systems with a fingerprint, a face scan or the PIN on their phone’s screen lock as a login credential. This type of multifactor authentication is also phishing resistant, making it more secure than methods like sending one-time SMS codes.

In what it called the “beginning of the end of the password,” Google last month began rolling out its own passkeys, an effort that could help agencies go passwordless and embrace a “zero trust” approach with layers of authentication required.

Google’s move could create a “positive snowball effect” away from passwords, said Andrew Shikiar, executive director of the FIDO Alliance, which works to develop open authentication standards.

The Biden administration’s 2021 executive order on cybersecurity suggested a shift is already afoot in federal policy around passkeys and authentication methods. Previously, federal agencies were mandated to only use PIV or CAC smart cards for multifactor authentication, but the executive order widened the scope and allowed the use of any phishing-resistant MFA.

“The good news is we're seeing government-driven mandates for government utilization of multifactor authentication, including passwordless authentication,” he added. And while those mandates are federal right now, Shikiar said it is inevitable that states will follow suit.

It might not be an easy transition to passwordless, however. Shikiar acknowledged that there must also be a culture shift around passwordless security, especially among long-tenured government employees who may be reluctant to embrace change. “Some people, they're going to make you pry their passwords from their cold dead hands,” he said.

One way to make agency employees more comfortable using passkeys is to ensure user experience is as easy and optimal as possible, Shikiar said. He pointed to the FIDO Alliance’s recent guidelines on user experience for passkeys, which urged organizations of all sizes to direct users to default security and privacy settings to manage new sign-in options. 

FIDO said organizations should encourage users to actively manage their account settings and sign-in options, help them compare what alternatives are available, educate them on the entire process and ensure it is as smooth as possible.

Shikiar said while it may be a little more difficult or time-consuming to get people to enroll for a passkey rather than set up a standard password, once they are up and running, they prefer it.

“What we found is that once people have enrolled through a passkey, their signup success rate is super high, and their satisfaction is very high,” he said. “It's one of the things that people need to try and experience to then want it.”

Others are not so sure a transition to fully passwordless authentication is possible, even though it has been discussed for nearly a decade. PricewaterhouseCoopers said in a recent report that going completely passwordless is “likely, not feasible,” adding that progress is often stalled when organizations use authentication tools that are incompatible with their operating systems or devices.

A recent report indicated that an intermediate step towards going passwordless—embracing multifactor authentication—is catching on, but plenty of work lies ahead. Identity management company Okta found that MFA adoption continues to climb, and that as of January, nearly two-thirds of users and 90% of administrators across the economy authenticated their identities with MFA.

Adoption jumped at the start of the Covid-19 pandemic and has risen steadily since. Shikiar said that indicates that the pandemic “took everyone's five-year digital transformation plans and compacted them into five months.”

Sean Frazier, federal chief security officer at Okta said that the figures show that MFA has “reached the lexicon of the public” and that the majority understands why it is necessary and the risks inherent in not enabling it. 

But there is work ahead for the government sector, which only has 48% adoption of multifactor authentication, far behind the technology sector, which leads the way at 87%. Shikiar said government agencies may be “less emboldened” than the private sector, hence their lower adoption rate. But he noted that a shift to passwordless would also represent a shift in mindset among government agencies, away from putting “Band-Aids on passwords through MFA mandates.”

Frazier said it would also mark a shift away from governments “over relying” on passwords.

Given how quickly online identity and the tech that underpins it is evolving, governments and their contractors must keep their eye on the horizon, said Matt Keller, vice president of federal services at cybersecurity company GuidePoint Security. “What you're deploying today from an identity perspective might not be the right identity solution in five years,” he said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.