Join or Sign in

Register for your free asmag.com membership or if you are already a member,
sign in using your preferred method below.

To check your latest product inquiries, manage newsletter preference, update personal / company profile, or download member-exclusive reports, log in to your account now!
Login asmag.comMember Registration
https://www.asmag.com/showpost/35347.aspx
INSIGHTS

Identity management: Going password-LESS

Identity management: Going password-LESS
Needless to say, having too many passwords for different systems can be a major headache. That’s why the world of identity management is increasingly moving towards a “password-less” paradigm. This article takes a closer look.
Needless to say, having too many passwords for different systems can be a major headache. That’s why the world of identity management is increasingly moving towards a “password-less” paradigm. This article takes a closer look.
 
What can you say about password! The old adage “can’t live with them, can’t live without them” can certainly apply. Nowadays it seems every device, service or application needs a password to log in. Some systems even ask the user to change passwords repeatedly. For many, this has become quite burdensome.
 
“One of the biggest challenges facing users is managing their passwords and credentials. Most people have numerous different usernames and passwords for different systems – and system admins often enforce policies that force users to reset their passwords periodically. This is best practice to keep systems secure, but it does also increase the likelihood of users forgetting their password to access systems. As a result, some users take the precaution of writing passwords down – whether that is on a post-it note hidden in the vicinity of their desk or in a diary/notebook – but this information remains vulnerable to intruders,” said Ketan Pyne, Identity and Access Management Expert at Thales.
 
He added: “Identity management solutions help to address this by integrating with existing authentication methods (such as Active Directory, LDAP and applications used across the organization) and enabling Single Sign On (SSO). This reduces credentials sprawl, but potentially increases opportunities for unauthorized users to access systems illegally using compromised credentials.”
 

Shift to password-less ‘profound’

 
Going password-less, then, is an increasingly feasible and viable solution to the password dilemma. “(Password-less authentication) is a rising trend, focusing on biometrics, tokens, and mobile credentialing and access. At AlertEnterprise, we see this as a critical step towards enhanced security, minimizing the vulnerabilities associated with password-based systems,” said Willem Ryan, Senior VP for Marketing and Communications at AlertEnterprise.
 

How password-less works

 
There are different ways password-less solutions can work. “Typically, the mechanism on password-less systems is as follows: an authentication request is sent from the endpoint device, the server sends an authentication challenge, the signed challenge is sent to server, and the authentication is completed. When the signed challenge is sent from the endpoint device is sent to the server, this may be in the form of biometric authentication such as face/fingerprint/finger vein scan or through the use of a smart card or security key,” Pyne said.
 
“Password-less authentication is provided based on a unique characteristic owned by the identity or asset and can be verified to be unique per request or session. This can be implemented using biometric technology or passkeys that are securely stored or rotated via an encryption key that can only be decoded by the system when access is requested. The most common implementation model for this type of solution is FIDO2 and provides a secure workflow for authentication using a variety of trusted identity verification methods,” said Morey Haber, Chief Security Officer at BeyondTrust.
 
Pyne also mentioned that passkeys were another phishing-resistant replacement for passwords. “There are two primary types: synced and device-bound. Synced passkeys can be used on multiple devices without re-enrolling each device. Since 2022, Apple, Google, and Microsoft have been rolling out support for synced passkeys across their various Operating Systems (OSes),” he said.
 

Multifactor authentication

 
Passwords are the “what you know” factor for authentication. In the realm of access control, there are other factors beyond “what you know.” These include “what you have” and “what you are.” They may be used alone or in combination, a concept known as multifactor authentication which adds an extra layer of security.
 
“Multifactor authentication is based on the premise of something you know like a password and something you have like a key fob or mobile phone. It is a two-step (could be more) authentication method that typically requires the ‘something you have’ to have a dynamic response that cannot be guessed, copied, or forged during the process. Modern methods use authenticator applications or leverage FIDO2 while older more insecure methods may use SMS text messages or application push notifications that could lead to spoofing or MFA fatigue attacks,” Haber said.
 
“The addition of multifactor authentication (MFA) to identity management solutions means that organizations can additionally verify the user with something they already have. This may have been provisioned when they joined the organization – for example a company mobile phone with an app such as MobilePASS+ or Microsoft or Google Authenticator,” Pyne said.


Product Adopted:
Others
Subscribe to Newsletter
Stay updated with the latest trends and technologies in physical security

Share to: