Self-Sabotage: How You are Undermining Your Journey to a Passwordless Future

Passwordless

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Bassam Al-Khalidi of Axiad explains how passwords may still be lurking underneath the surface of your passwordless strategy.

Premium ContentPasswords have been used to protect sensitive information for centuries, spanning from ancient times (e.g., ciphers) all the way through to the modern day. Yet, even despite their longstanding existence, they are still one of the most used security tools today.

Modern enterprise organizations typically handle thousands of passwords across their people, machines, and digital interactions to provide access to their systems and data. But passwords are also easily compromised. In fact, passwords, along with stolen or weak credentials, play a part in more than 80 percent of today’s breaches. Moreover, in a survey of 2,000 US office workers, 60 percent said problems with passwords have stopped them from doing their jobs.

Given that so many breaches stem from poor password practices, plus the often-negative impact on productivity, many forward-thinking organizations are moving away from legacy (password-only) approaches to contemporary (passwordless) strategies for authentication, which are optimized for today’s business environment and deliver clear security and operational benefits.

Living in a Passwordless Future


Understanding the Implications of Shared Secrets

While passwordless authentication is currently a hot topic in boardrooms around the globe, it’s critical to understand that that not all passwordless solutions are, in fact, actually passwordless. If you’re currently deploying a passwordless platform or evaluating the move to passwordless, a lack of understanding of what lies beyond the surface can jeopardize even the most well-intentioned, thoroughly planned (and well-funded!) security strategy.

In reality, most passwordless solutions today still require a password or other shared secret, but this is what can be called a “passwordless experience.” These solutions typically hide (or mask) the shared secret from the end-user to deliver a passwordless user experience, but behind the scenes, the shared secret is still on the scene. By storing the shared secret, you leave those secrets in a position where they can be compromised – which can provide bad actors with the opportunity that can lead to phishing and other cyber-attacks.

Leaving Passwords Behind to Optimize Protection

The good news is there are alternatives to solutions that provide a passwordless experience but still rely on passwords. In a “no password” passwordless environment, there are no shared secrets. There’s nothing to remember, there’s nothing that can be shared, lost, or phished out of users. This “phishing-resistant authentication” ensures that employees and all users have access to what they need when they need it. Clearly, this is a better methodology because it closes a major gap that attackers have been actively exploiting, while also keeping the enterprise in control and ensuring what’s important stays safe.

But a successful true passwordless strategy isn’t just tied to eliminating shared secrets. There are a number of additional factors you should look for as you build out your framework:

  • No shared secrets – Naturally, confirm that your solution doesn’t mask or otherwise simply conceal passwords, but eliminates them entirely.
  • A frictionless experience – Users will find a workaround if a process is too complex. In a recent survey, more than half (52 percent) of tech leaders said their remote employees had found workarounds to their company’s security policies, creating gaps in authentication that can leave a business vulnerable to cyber-attacks.
  • Interoperability – Most organizations already have made some meaningful investments in Identity and Access Management (IAM) solutions in the past, and ripping and replacing them to achieve a passwordless future doesn’t make financial sense. Look for solutions that fortify those existing investments and tools to minimize time to value.
  • Adaptability – Authenticate people, devices, and operating systems uniformly and quickly, enabling your organization to stay on budget while keeping in pace with regulatory requirements, compliance, and audit reporting.
  • Holistic authentication – Passwordless strategies done in silos-– in a fragmented fashion, perhaps authenticating different identity types, operating systems, or use cases-– creates gaps and inconsistencies that can be exploited, even in a “no password” passwordless approach. Make sure you cast the net wide enough and take a holistic approach to authentication to get the most out of your passwordless strategy.

A true “no password” passwordless strategy will optimize your cybersecurity posture while at the same time providing the ability to navigate and reduce underlying IT complexity. Your organization will become more phishing resistant, less of a target for ransomware attacks/account takeovers, and will take a critical step forward to implementing a Zero Trust strategy by limiting reliance on passwords and verifying everything before granting access to your most important assets.

Bassam Al-Khalidi
Follow Him