Authentication is a secure mechanism for accessing systems and applications. Authenticating with passwords is extremely prevalent and has become part of our everyday life, from accessing email to online bank accounts and everything in between. But passwords can be an inhibitor rather than an enabler for business and commerce. Compromised passwords impact retailers, healthcare providers, government agencies, telecom and mobile operators, and financial and payment services. Password-less administration is the remedy to this issue.
Modern access management solutions provide numerous benefits. They deliver cost efficiencies, enable flexible system and application integrations, empower businesses to adapt to new and changing technologies, environments, and deployment models, and reduce user friction. But, if your identity and access management solution is outdated, making your organization vulnerable to breaches and unprepared for the ever-growing regulatory requirements, how do you fully leverage these benefits?
Today’s security protections encompass many areas, like identity access and governance, consumer privacy, regulatory compliance, patching, upgrading, and application and system integrations. The cost and management required to successfully support, protect, and control access to systems, applications, and data for this array of requirements can be expensive and complex.
Passwords are Becoming the Bane of our Existence
Data breaches associated with passwords have been increasing for decades and are only getting worse. In fact, 80% of data breaches come from hijacked and misused passwords. The typical user has dozens of online accounts, and over 51% of their passwords are reused among those accounts. While online businesses rely upon passwords to authenticate users, one-third of online purchases are given up when consumers can’t remember their passwords. Helping users reset passwords and provision devices adds cost and lowers profits, with the average help desk cost of $70 just to reset a user’s password.
Time for a New Authentication Method
If 2020 has taught us anything, external impacts like the pandemic have caught many of us ill-prepared for a primarily remote workforce. The potential security attack surfaces have increased exponentially with the move to an offsite work environment. The most successful attacks, with increasing numbers, are from stolen and abused passwords. Credential stuffing is one of the most common attack vectors. This is where hackers obtain a list of accounts and passwords on the dark web and then systematically use them against login services.
A common counter measure is to add another layer of security with multi-factor authentication, or MFA. After a password is provided and validated, another authentication measure takes place, such as entering an SMS code or responding to a push notification for validation. However, the password is still an integral part of this process. The downsides to this approach are the additional steps that need to be maintained, managed and paid for, and the friction it can add for customers, partners, and employees.
The writing is on the wall. We need a new, standards-based approach for logins. One that is secure and interoperable across any website, application, device, and supply chain, and frictionless for all users. Successfully issuing and managing today’s modern authentication methods with security keys, facial and voice recognition, fingerprints, smart cards, key certificates, and apps for access tokens, requires centralized authentication with effective systems, policies, and processes.
The good news is access management vendors, independent software vendors, and device manufacturers are all rallying around a new set of password-less standards.
Password-less authentication simplifies the login process, eliminates stolen passwords, and resists phishing and other cyberattacks. Users no longer need to remember their passwords; they can use any device, and any service and application, like VPN, VDI, cloud, mobile, and web.
Enter FIDO for Password-less Authentication
The FIDO Alliance addresses the lack of interoperability between strong authentication technologies, and remedies problems for users creating and remembering multiple usernames and passwords. Its main goal is to improve security postures by standardizing the authentication mechanism, and providing alternate solutions to password-based authentication.
FIDO Alliance provides certification programs and specifications to ensure an interoperable ecosystem of vendor products and services for enterprises to leverage FIDO authentication. FIDO includes programs that delineate the security capabilities of FIDO Certified Authenticators and provides testing and validation for the efficacy of biometric components.
FIDO2 provides a standard authentication protocol that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. It leverages cryptographic credentials which are unique for every website, and never leave the user’s device. This eliminates the risks of phishing, all forms of password theft, and replay attacks.
FIDO2 standards are looking to pave the way for new password-less requirements, and enable customer and workforce authentication flows. FIDO2 promises to reduce login friction for customers, employees, partners, and supply chains.
Need Help Implementing Password-less?
IAM is dynamic, with many moving parts. It’s a complex process of integrating and managing credentials, accounts, entitlements, roles, permissions, policies, processes, and resources to enable effective access control.
Simeio is a single-source provider of integrated IAM solutions and applications that support consumers, employees, and privileged users. We created a cost-effective and secure foundation for digital transformation within a cohesive, unified, and user-friendly platform.
Simeio helps organizations better address the complexity of their identity requirements, as well as empowering them to effectively plan the implementation of identity solutions, based on industry standards, and vast experience in the IAM space.
We help organizations with identity process and technology, enabling them to take advantage of upcoming technologies, like FIDO2, and many other standards and guidelines from organizations like NIST and others, using best practices. We partner with many IAM and security vendors, to bridge the gap in integrating diverse IAM, security, and enterprise applications. Our services support on-premises legacy systems and multi-cloud services.
To learn more about how Simeio can help modernize your access management, click here.
Contributed by Roland Davis