Improving Cybersecurity with Passwordless Authentication
It’s time to acknowledge that conventional cybersecurity practices are built upon a fundamental flaw — the password. Although companies around the world spend more than $100 billion a year on increasingly sophisticated security measures, industry analysts say poor password practices are the root cause of roughly 80 percent of all data breaches.
It’s time to ditch the password. SageNet is helping customers eliminate this weak link in the security chain with “passwordless” authentication solutions that can substantially reduce the risk of phishing attacks, credential stuffing, account takeovers and other threats.
The main problem with password security is that it places too much burden on end-users. You wouldn’t ask your sales team or your marketing staff to configure firewalls, install an encryption solution or apply security patches. Yet, we think nothing of asking employees to assume responsibility for the critical first line of network defense.
For years, security experts have stressed the importance of having employees create complex and unique passwords. That’s simply not an effective strategy. The average business user today has nearly 200 unique passwords — a number that strains the limits of human memory and encourages a range of risky password practices. It’s no wonder that “123456” and “password” consistently rank among the most commonly used passwords.
Password Repositories Targeted
However, even highly complex passwords with long combinations of letters, numbers and symbols are vulnerable. Companies often keep all employee passwords in a centralized vault or repository for easier management. Very often, passwords are stored in plain text. Hackers have targeted these central stores in several notorious breaches resulting in the theft of hundreds of millions of passwords.
The easy availability of stolen credentials on dark web marketplaces have sparked a significant increase in credential stuffing attacks, which is essentially weaponized password reuse on a mass scale. It’s a type of brute-force attack in which hackers use large numbers of stolen credentials to make multiple login attempts on multiple accounts simultaneously.
These types of attacks have increased the urgency to reduce dependence on passwords. Gartner predicts that 60 percent of large and global enterprises and 90 percent of midsize enterprises will implement passwordless methods by 2022 — up from just 5 percent in 2018.
There are a range of approaches for implementing passwordless authentication. All involve the use of some unique identifier such a biometric signature or a hardware token to establish proof of identity. They essentially use the same approach as digital certificates — a cryptographic key pair with a private and a public key.
An Easy and Secure Alternative
We recently partnered with HYPR, a New York-based provider of passwordless security solutions that shift authentication from a password database to the end-user’s smartphone. Comcast, Mastercard and Samsung are among significant investors in HYPR, and Mastercard and Aetna are among notable customers.
The HYPR solution is available as a mobile app or as a software development kit for rapid deployment across customer- and employee-facing applications. It enables secure desktop authentication for both Windows and Mac platforms, and it works with existing identity and access management (IAM) infrastructures.
The solution is compliant with the Fast IDentity Online (FIDO) Universal Authentication Framework. FIDO standards enable easy and secure logins to websites and applications via device-based biometrics and security keys. FIDO’s simpler login experiences are backed by strong cryptographic security that is superior to passwords, protecting users from phishing, password theft and replay attacks.
While passwords won’t be entirely replaced anytime soon, organizations need to take a hard look at their authentication tools and processes and move away from password-only data protection. With most data breaches linked to misused or stolen user credentials, it is clear that passwords no longer provide sufficient defense. Passwordless solutions can deliver more sophisticated and effective security while relieving end-users from much of their burden.
More Insights
-
Cybersecurity
Making the Grade on K-12 Cybersecurity
-
Connectivity, Cybersecurity
Legacy Firewalls Vulnerable to Encrypted Threats