How Passwordless Authentication Can Protect Accounts And Improve User Experience
Expert Insights interviews Eric Williams, Senior Sales Engineer at HID Global.
“Passwords are bad security,” says Eric Williams, Senior Sales Engineer at HID Global. “Everyone knows this. Passwords can be shared, phished, [or] stolen. And the user experience is not great, since the user must memorize this complex secret, which changes periodically.”
Since the 1960s, passwords have been the default security control for accessing computer devices and software. But today, poor password practices are one of the most common reasons for account compromise in the enterprise. While password security can be improved with the use of multi-factor authentication, the best way to address the root cause of weak passwords is to eliminate their use altogether.
Passwordless authentication technologies allow users to access applications or systems without needing a password at all. In the case of the FIDO2 authentication standard, for example, authentication is completed with a private key held on the local device, then matched with a public key registered with an online service. There is no need for the local end user to ever have an account password.
Combined with an extra verification step leveraging biometric controls, or a physical hardware token, this offers powerful security benefits above the use of a password. It is resilient against phishing and doesn’t require any additional effort on the part of the end user. Most importantly, this method is very difficult to hack.
To discuss the move toward passwordless authentication, Expert Insights sat down with Eric Williams, Senior Sales Engineer at HID Global. You can listen to our full conversation on the Expert Insights podcast:
The Workforce Is Going Passwordless
According to a recent Gartner report, by 2025 50% of the workforce will be using passwordless technologies. A key driver for this is a push for better protection in the form of data protection regulations, Williams explains. “Every year, new regulations pass around data protection. And they tend to be a bit modular, meaning that some of them are for highly regulated industries such as energy, banking, and finance. Others are to protect the data side for private citizens.”
“On the other side, there is GDPR which has a sweeping mandate in the EU, while the United States have, so far, mostly opted for a state-by-state approach. The authorities are still in the process of figuring out how to secure people’s data, and as they do so, there is a push to adopt security measures that enhance security, while improving the user experience.”
Improving the user experience is critical for the adoption of passwordless authentication, Williams explains. “A poor user experience is not just bad for the user, it’s bad for the implementor. It’s bad for whoever is enforcing it since people tend to find a way around obstacles. You need to make it very easy to do the right thing.”
For the enterprise, there can be no one-size-fits-all approach when it comes to authentication; rather, your security strategy must support a broad range of authentication options to suit user needs. For example, some users may not be comfortable, or able to use biometric authentication. In some circumstances, users can’t use their personal devices as an authentication token, but must instead use an ID badge, or a smart card.
All industries face unique challenges when it comes to passwordless adoption, and no two use cases are completely alike, Williams explains. In banking for instance, “You need to cover the entire customer journey, starting from onboarding, to creation of account, to transactions and interactions within the banking system – for example changing your address.” Passwordless solutions need to be flexible enough so that they can adapt to different situational requirements, without jeopardizing security or user-experience.
“We have solutions that help with that entire journey – starting with identity verification at the beginning, to providing passwordless authentication via push notification to the customer’s mobile phone. That’s all integrated, so the level of friction is zero! At the same time, we perform risk analytics behind the scenes to help with making decisions about when to request authentication. And sometimes that answer is to not authenticate at all, if the transaction seems safe enough.”
These systems, combined with improvements to authentication technologies, mean passwordless technologies vastly improve the user experience for the end user. “These security technologies have gotten better in recent years, everything from biometrics, to mobile authenticators, to the rise of FIDO credentials. The user experience has improved dramatically.”
Changing Risk In A Passwordless World
“As passwords start to disappear, cybercriminals are going to shift their mindsets to new targets”, Williams explains, namely to the device and to the user themselves. Already we are seeing rises in new forms of engineering to bypass multi-factor authentication controls, such as so-called ‘MFA fatigue,’ or ‘MFA spamming’ attacks. This is where a criminal will simply request a mobile authorization over and over until the user accepts the request simply to stop the notifications.
With the rise of AI, advanced social engineering attacks will have “renaissance moment,” Williams says. “Everything from text, to images, to video and even voices are becoming easier to generate and spoof, and harder to identify. It’s up to companies like [HID Global] to react to these new threats. We’re already doing that to some degree, with AI of our own, baked into our authentication solutions.”
HID Global is a division of ASSA ABLOY, a global multi-national leader in physical secure access – everything from revolving doors to passport control gateways. Historically, HID were focused on physical access, but since 2010 they have focused on identity and access management solutions for a range of industries, including state, local, and national governments worldwide.
Today, HID is a leading provider in biometric authentication solutions, and one of the largest providers of PKI solutions to the US government. HID delivers passwordless authentication for internal enterprise systems via their Digital Persona solution, which offers a range of authentication methods, and their Crescendo smartcard line, which combines physical and logical access technologies, such as PKI and FIDO to enable seamless authentication across physical and digital systems. HID also offer consumer authentication solutions, focused on identify verification and risk management for customers, like the banking and finance industry.
Recent announcements from HID include a partnership with Apple, designed to bring HID smart authentication cards into the Apple Wallet, and a new range of eco-friendly bamboo-based smart cards. “We’re an established, trustworthy company, with a long history in information security,” Williams says. Working with a trusted provider is paramount when looking to implement passwordless authentication, particularly in light of the social engineering risks on the rise. “You have to be a little bit careful about who you trust.”
The Future Of Passwordless Authentication
Although the momentum is certainly towards a passwordless future, “information security tends to evolve slowly,” Williams says. “While there’s a lot happening in the space right now, it will be a long time before we truly reach ubiquity for passwordless.” Organizations looking to secure their digital identities must stay informed about threats and have a solid security strategy in place.
“It is important to identify and implement a clear security strategy. Any IT professional will tell you that. I think that always starts with the ‘Why?’ Why are you implementing passwordless? Is there a specific regulation? Is there a specific threat? Once you have answered those questions, it’s time to put in the work to identify the right solutions for the right needs. You should look at solutions that will take you into the future, and this may involve looking at new protocols. Think about FIDO – it was not that many years ago that few people were aware of FIDO, and the people that stayed informed about FIDO are now ahead of the game.”
“Also, in many cases, a blended approach is the right way to go. Coming from a vendor, I’ll stress that selecting the right technology partner is paramount. Whether you go directly to a vendor like us, or if you utilize a solution provider of some sort, always do your own research, always stay informed on new trends. Stay connected with similar organizations, other IT professionals that you connect with to be aware of the solutions they are looking at. This will help you to avoid their mistakes and gain from their successes.”
Learn more about HID Global: https://www.hidglobal.com/
Listen on Spotify:
Listen on Apple Podcasts:
About Expert Insights:
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions.