Needless to say, having too many passwords for different systems can be a major headache. That’s why the world of identity management is increasingly moving towards a “password-less” paradigm. This article takes a closer look.
Needless to say, having too many passwords for different systems can be a major headache. That’s why the world of
identity management is increasingly moving towards a “password-less” paradigm. This article takes a closer look.
What can you say about password! The old adage “can’t live with them, can’t live without them” can certainly apply. Nowadays it seems every device, service or application needs a password to log in. Some systems even ask the user to change passwords repeatedly. For many, this has become quite burdensome.
“One of the biggest challenges facing users is managing their passwords and credentials. Most people have numerous different usernames and passwords for different systems – and system admins often enforce policies that force users to reset their passwords periodically. This is best practice to keep systems secure, but it does also increase the likelihood of users forgetting their password to access systems. As a result, some users take the precaution of writing passwords down – whether that is on a post-it note hidden in the vicinity of their desk or in a diary/notebook – but this information remains vulnerable to intruders,” said Ketan Pyne, Identity and Access Management Expert at Thales.
He added: “Identity management solutions help to address this by integrating with existing authentication methods (such as Active Directory, LDAP and applications used across the organization) and enabling Single Sign On (SSO). This reduces credentials sprawl, but potentially increases opportunities for unauthorized users to access systems illegally using compromised credentials.”
Shift to password-less ‘profound’
Going password-less, then, is an increasingly feasible and viable solution to the password dilemma. “(Password-less authentication) is a rising trend, focusing on biometrics, tokens, and mobile credentialing and access. At AlertEnterprise, we see this as a critical step towards enhanced security, minimizing the vulnerabilities associated with password-based systems,” said Willem Ryan, Senior VP for Marketing and Communications at AlertEnterprise.
“It is encouraging to know that in the world of physical access control, the shift towards password-less authentication has been very profound and prominent,” said Alex Tan, Regional Sales Head for ASEAN at IDEMIA. “The days of authentication using just PIN is numbered and is disappearing fast – a trend started 10-20 years back. They have been widely replaced by more secured and easier to managed technology like access cards and now moving towards the biometrics front.”
How password-less works
There are different ways password-less solutions can work. “Typically, the mechanism on password-less systems is as follows: an authentication request is sent from the endpoint device, the server sends an authentication challenge, the signed challenge is sent to server, and the authentication is completed. When the signed challenge is sent from the endpoint device is sent to the server, this may be in the form of biometric authentication such as face/fingerprint/finger vein scan or through the use of a smart card or security key,” Pyne said.
“Password-less authentication is provided based on a unique characteristic owned by the identity or asset and can be verified to be unique per request or session. This can be implemented using biometric technology or passkeys that are securely stored or rotated via an encryption key that can only be decoded by the system when access is requested. The most common implementation model for this type of solution is FIDO2 and provides a secure workflow for authentication using a variety of trusted identity verification methods,” said Morey Haber, Chief Security Officer at BeyondTrust.
Pyne also mentioned that passkeys were another phishing-resistant replacement for passwords. “There are two primary types: synced and device-bound. Synced passkeys can be used on multiple devices without re-enrolling each device. Since 2022, Apple, Google, and Microsoft have been rolling out support for synced passkeys across their various Operating Systems (OSes),” he said.
Multifactor authentication
Passwords are the “what you know” factor for authentication. In the realm of access control, there are other factors beyond “what you know.” These include “what you have” and “
what you are.” They may be used alone or in combination, a concept known as
multifactor authentication which adds an extra layer of security.
“Multifactor authentication is based on the premise of something you know like a password and something you have like a key fob or mobile phone. It is a two-step (could be more) authentication method that typically requires the ‘something you have’ to have a dynamic response that cannot be guessed, copied, or forged during the process. Modern methods use authenticator applications or leverage FIDO2 while older more insecure methods may use SMS text messages or application push notifications that could lead to spoofing or MFA fatigue attacks,” Haber said.
“The addition of multifactor authentication (MFA) to identity management solutions means that organizations can additionally verify the user with something they already have. This may have been provisioned when they joined the organization – for example a company mobile phone with an app such as MobilePASS+ or Microsoft or Google Authenticator,” Pyne said.
And, who knows, maybe one day identity management will be so secure even multifactor authentication is no longer needed. “Multifactor and multi modal will continue to be a best practice in most cases but as the identification accuracy becomes better and better every time through better and more advance AI engine and algorithms, the needs for multi factor authentication for certain use cases, that is, access control into offices will diminish overtime as trust solidifies and takes center stage,” Tan said.