Is This the End of Passwords?

Are passwords and weak multifactor authentication the bane of your existence? Many IT professionals feel as if they spend much of their time helping coworkers with forgotten or expired passwords. The need to manage passwords and overcome problems related to them lead to massive frustration and lost productivity. To make the situation worse, even when an organization deploys MFA for all of its users, it can still be breached by attacks such as MFA replay or session stealing.

But if your coworkers are yelling at you or you’re dealing with another incident, don’t throw in the towel. Help is here.

Advanced MFA and passwordless authentication can make managing employee access much easier. Instead of pulling out your last few clumps of hair, find out how strong MFA and passwordless solutions can put an end to the cycle of creating new passwords.

With passwordless authentication, users can easily access their accounts using multiple, strong authentication factors instead of passwords. By implementing the right solution, you can provide secure yet easy access to applications while reducing help desk tickets, remediation and user frustration. You’ll be hailed as a hero, and your hand will get tired from all the high fives.

There are several factors to consider when moving to passwordless authentication. Most solutions enroll users with a biometric factor, such as face recognition or a fingerprint scan, coupled with a physical component usually connected to a device's security chip (such as a Trusted Platform Module) or a securely stored key tied to that device. The biometric and device components represent two factors: something you have (the device) and something you are (your fingerprint or face). These are very strong factors and are far more secure than passwords. In the current environment, most devices offer both of those solutions.

However, some challenges still exist as organizations aim to deploy passwordless authentication. For one thing, some technologies (often older solutions) cannot support MFA or other forms of single sign-on to allow access without passwords. To accommodate these technologies while enabling effective user authentication, organizations still need to maintain solutions to manage passwords, and this is where an enterprise password management solution or privileged access management (PAM) system comes in.

In fact, solutions like these are almost required for a successful deployment of passwordless technology. Sometimes, security auditors take issue with passwordless deployments and may require an organization to maintain passwords that meet specific requirements (such as being changed every 90 days or adhering to a standard of complexity). Much of this can be hidden from users and automated so that when users access a system that requires a password, it is automatically entered, or when they are required to change it, the password is automatically updated.

IT professionals who have worked in security for some time are aware of the common challenges of enrolling new devices and dealing with lost devices. Such risks tend to occur when attacks happen, as cybercriminals either convince support teams to enroll rogue devices or get users to approve them. To address these issues, I suggest a methodology that involves manual steps with as much validation and noise as possible. Yes, this can seem like a hassle, but it’s the same hassle required by many forgotten password workflows, and new devices need to be enrolled far less frequently than replacing forgotten passwords.

To achieve a more advanced level of assurance, organizations should consider adding device state to the criteria they consider when determining whether a user should be authorized. If a user is coming in from an authorized, secured and up-to-date corporate system, that should be weighed in allowing access to sensitive systems. However, if a user’s device is not up to date or lacks sufficient security controls, the decision of whether to allow access may change. Perhaps in this scenario, the user would be allowed access only to nonsensitive systems.

For the next level of security — providing access to critical systems — organizations should consider only the most secure methods of multifactor authentication. This level could include administration of a PAM solution to systems storing critical intellectual property, domain-level administration, certificate authorities or anything else truly important to secure.

At this level of security, multifactor solutions must be resistant to all forms of tampering, including replay, MFA fatigue, session stealing and phone compromise. Tokens that meet these criteria include old-school physical tokens that implement the FIDO2 standard for passwordless authentication and require true spy-level craft with physical theft of the token for unauthorized access. To see a great example of this, watch the 1992 film Sneakers, in which a group of hackers steal an access card and a voice print of their target to gain access to a secure system. If your security systems require this level of tradecraft to break in, you’re generally in a good position.

Ultimately, the time for passwordless authentication is here, and organizations should start moving toward it. We still face some challenges to getting rid of passwords altogether, and we need to ensure we are using the most secure multifactor authentication options for our most critical systems. This will be a multiyear journey, but one worth taking, and I believe it is vital for us to start now.

Story by Jeremiah Salzberg