Passwords are embedded in almost every facet of today’s digital world. Hacking-related breaches are still mostly caused through password compromises and sharing. The urgency to move away from passwords has never been higher, with the COVID-19 crisis pushing the rapid shift to remote work, as well as cybersecurity pressures following a string of major attacks in the last two years.
Organizations are being forced to examine password authentication more closely, with specific requests to justify the costs of password support, re-evaluate the impact on user experience, and, most importantly, justify whether the password is doing what it is supposed to do – safeguarding the company from an online attack. Passwords are antiquated, and, unfortunately, risk drivers, as most businesses quickly realize.
Barriers to Passwordless Authentication Adoption
According to the recent “The State of Passwordless Security” report by HYPR and Cybersecurity Insiders, 96 percent of respondents wish to stop utilizing shared secrets for authentication. With the rise of remote work, the search for passwordless authentication alternatives to safeguard privileged resources and systems from credential abuse has become more urgent.
Password-based authentication need to be replaced with a passwordless login, which uses a factor like biometric identification to enable login. This is seen as a strong solution to the recent surge in cyber-attacks. However, according to the HYPR and Cybersecurity Insiders survey, nearly half of the firms polled are still using passwords, and 22% are sceptical about their usefulness.
Some of the major roadblocks to adoption are caused by the state of identity and authentication rather than by technological problems. Because identity and authentication are still siloed, many widely used applications do not enable passwordless login.
Getting to the Bottom of Identity Confusion
Identity proofing is often part of a company’s on boarding process, which is typically handled by human resources, with help from IT. The manual process of verifying new employees is handled by the HR department.
That’s alright when dealing with internal employees, but when dealing with vendors, contractors, or machine users that need access to network resources, the process gets more complicated.
The authentication process relies on the process of identity proofing, which verifies a person’s identification using government-issued documents and face biometrics. However, once enrolment into a system or application is complete, it remains separate from authentication workflows. When a user logs in to a protected resource, they are asked to provide some kind of authentication, such as a PIN, password, or biometric, that is no longer tied to their actual identity.
Also Read: Top Three Security Mistakes CISOs Make today
Biometric authentication, for example, does not replace passwords, contrary to popular belief. It simplifies the process of manually entering them into a system. This means that if a password is stolen, the biometric authenticator can be bypassed. If biometric identifiers are recorded in an authentication database, they become a target for hackers as well.
A new concept known as distributed digital identity unites identification enrolment data and authentication, making them inextricably linked. A distributed digital identity is managed by the user rather than just challenging them for an authentication factor that is validated against credentials maintained in a central database owned by an identity provider.
Passwordless login is the solution to issues related to privacy, security, and user experience. However, it will only be achievable if a new distributed identity model bridges the gap between identity assurance and authentication is developed.