SUPPORT
We create technological value for the prosperous life of our customers.
Support ArticlesStay up-to-date on company and partner news, product tips, and industry trends.
by Kate O'Flasherty published 2024 Feb 02
What will the end of passwords look like in practice and what can businesses do to prepare?
It’s widely accepted that passwords are a flawed means of security. People use weak credentials; they can be forgotten, guessed, or exposed in breaches and they’re often reused across services.
Big tech firms including Microsoft, Apple and Google have been moving towards a passwordless future for
several years, with solutions such as security keys and more recently, passkeys, starting to take off as part of multi-factor authentication (MFA) setups.
The FIDO Alliance – which most big
tech players are members of – is pushing hard for the demise of the password.
But what exactly does “the end of the password” mean, in practical terms?
The idea is to
eliminate dependence on passwords as a “primary mechanism for user
authentication”, says Andrew Shikiar, executive director and CMO at the FIDO
Alliance. In practical terms, this means the end of using knowledge-based
“secrets” as the foundation to create, sign in, and recover online accounts, he
says.
“Passwords simply aren’t fit for purpose to
protect today’s connected economy. They are too burdensome for humans to manage
effectively and too easy for attackers to leverage to hack into corporate
networks.”
The end of passwords: Strong alternatives
There are
multiple systems that could help usher in the end of passwords, but no one
solution is perfect. For example, biometrics can be secure but
come with their own downsides, says Michael Jenkins, CTO at ThreatLocker.
“Windows uses facial recognition, which can
unlock too quickly, so you might walk away and leave your laptop exposed while
it’s still unlocked.”
Fingerprint
systems are a lot harder to get around, he says. “But the downside is, it may
ask for your PIN number instead. These are a lot easier to guess.”
Passkeys,
meanwhile, are “a great idea”, but they still need to be implemented across
every website and application, says Darren James, a senior product manager at
Specops Software. In addition, they can’t be used for initial login to a device
and they aren’t very portable unless you store them on a token – which can be
lost, broken, or stolen.
Handling passkeys is
very different from passwords, says Mark Stockley, senior threat researcher at
Malwarebytes. “Both users and support staff are likely to be less familiar with
them, which is a speed bump to adoption.”
Yet Shikiar argues
that implementing passkeys for MFA is fairly simple and won’t require most
businesses to completely overall their pre-existing security processes. This is
because the core functionality is built into the majority of end-user computing
devices, enterprise software stacks, and identity management services,
he says.
“Many organizations
are already using identity management solutions such as Microsoft Entra ID,
which already has support for these solutions built-in,” concurs Mark Lomas,
technical architect at Probrand.
However, the end of
passwords will be easier in some sectors and businesses than in others. It is
important to recognize that certain sectors could be forced to continue to use
passwords, says Stewart Parkin, global CTO at Assured Data Protection. “Organizations
with legacy systems may be
challenged in integrating new technologies, while regulatory requirements in
certain industries can create the need to continue password-based
authentication.”
Software not tied to
modern authentication solutions won't be able to take advantage of modern
passwordless solutions, or be linked to Entra ID, says Lomas. “It's typically
legacy software that will be unable to make the switch. In this case, you'll
need to find other routes to add protection, such as hosting the application in
a virtual desktop environment
like Azure Virtual Desktop and ensuring that access is protected by a
passwordless login solution.”
While there are
multiple alternatives to passwords, passkeys are the only successor that “has
the same availability and ubiquity”, says Shikiar. Therefore, they are the only
currently available means to fully replace passwords, he says.
“Passkeys are built on open standards created within
the FIDO Alliance and based on tried and tested cryptographic protocols,” says
Shikiar. In addition, the technology is supported by all big tech and is device
and operating system-agnostic, he says.
Passkeys are “far and
away the best password alternative for online authentication”, agrees Stockley.
“They are secure, easy to use and the cost of implementation is likely to get
lower as they become more widely supported.”
But it’s important to
realize that as we approach the end of passwords, replacements will have to
compete with passwords which are themselves universally understood and very
cheap to implement. “That's really hard,” says Stockley. “They're an
authentication standard that dates from an era when managing low computing
resources was the priority. Users understand them, support teams know how to
support them and developers know how to implement them.”
Taking this into
account, while some organizations may eventually go passwordless altogether,
for now, many are supplementing passwords with MFA, says Steven Furnell, IEEE
senior member and professor of cyber security at the University of Nottingham.
In the future, he
predicts a mixed authentication setup will be the main choice for many
businesses. “Some systems and services could use traditional passwords, some
MFA, and some passwordless.”
Shikiar says there is
“no need for any company to hang onto passwords”, but he does concede they will
need to be “phased out over time”. Initially, companies may keep them to
help with account recovery until other possession-based factors are established,
says Shikiar. If you do decide to make further moves away from passwords, the
transition will depend on the organization, says Shikiar. “Many will have
disparate legacy systems to grapple with, while for others it is more
straightforward.”
When taking the
plunge, Shikiar recommends a prioritization exercise. “Discover those systems
that can migrate most easily and are most urgently in need of higher security.”
Transitioning from a
password-centric security model requires a systematic approach, says Parkin.
Organizations should begin with a comprehensive assessment for risk management, followed by pilot
implementations in less critical areas, he says. “The integration of
multi-factor authentication as an interim step can pave the way for a more
seamless transition.”
Businesses can also take a “privileged user” approach by identifying employees with access to sensitive applications, and examining who is the most vulnerable to attacks, says Shikiar. “Migrate these users to phishing-resistant authentication as soon as possible and from there, you can start to work your way across the wider employee base.”
Meet TrustKey’s expert.
CONTACT US
Copyright © 2020 TrustKey. All Rights Reserved.