Q&A
Which Enterprises Should Ditch Passwords? All of Them!
As security biometrics continue to sophisticate, many organizations are still using flawed passwords to safeguard their data. That needs to change. Now.
Microsoft has been banging the passwordless drum for years now. And for good reason. Passwords just are not a good way to keep you and your organizational data safe. Thankfully, with the rise of multifactor authentication and biometric-based solutions, it's never been easier to ditch the password relics. So why are you still using passwords in your organization?
Tech expert Andy Malone is here to clear the air on why a passwordless path is the way forward, and what the hold-up some organizations face when moving away from outdated security procedures.
And for more of his insight on how you can get the most out of passwordless authentication methods, join him this November in Orlando for his Live!360 talk, "No Country for Old Hackers: A Journey Inside Passwordless Authentication with Passkeys." Register now!
Redmond: So, what's wrong with passwords? Why are they no longer the gold standard for authentication?
Malone: Let's face it, a password is simply a secret. It's based on something you know, not something that you are. Of course, this leads to all kinds of security issues with users forgetting or sharing passwords. Not to mention being prone to phishing and man-in-the-middle attacks, which can not only be emotionally stressful but also financially devastating to all parties concerned. Years ago, passwords were the gold standard and, unfortunately, a hacker's dream. Armed with a few simple tools like Cain & Abel, L0phtCrack and John the Ripper, the world looked sweet from the cybercriminal's perspective. But if we equate passwords to the old west, then multifactor authentication was the sheriff who sent the bad guys running for the hills.
Can you explain how passwordless and multifactor authentication go hand-in hand?
Multifactor authentication makes life difficult for the cybercriminal. Initially, the concept of two-factor authentication combined things you already have -- a bank card along with something that you know, a PIN number, etc. But the problem here is, that it still doesn't prove WHO you are. It simply proves that you have a card and know the PIN. So multifactor authentication expands on two-factor authentication by adding the element of something that you physically are into the mix -- in other words, biometric. This makes traditional phishing techniques almost impossible for criminals, as facial recognition or a fingerprint must be combined with a physical device for a user to authenticate. In recent times, these phishing resistant, or Passwordless techniques have become an important component in the zero-trust security model. Which stipulates that, every user must be verified on every device.
How exactly can a passwordless authentication approach do a better job at keeping organizations secure than other methods?
With a passwordless solution, there simply are no credentials to steal. Introduced by the FIDO Alliance, the first generation of FIDO keys were deployed using a USB solution which generate a unique cryptographic key pair. The private key never leaves the physical device and requires a biometric gesture to authenticate, thus making it impossible to intercept. The second generation or Passkey can be stored on a user's mobile device and, just like its physical counterpart, requires a biometric gesture. However, unlike the device-bound solution, syncable passkeys are stored in a user's keychain or key vault, thus allowing the sharing of passkeys across multiple devices.
Is a passwordless approach feasible for organizations of all sizes? What sorts of organizations would benefit most from going passwordless?
Absolutely, and I believe with very soon this will be the norm. It scales superbly to all company sizes, both large and small. Phishing-resistant credentials can reduce phishing attacks by up to 99.9 percent and will help in not only enforcing better security, but also make authentication simpler and faster.
From your perspective, how receptive are business leaders to making to the move to passwordless authentication? How would you convince the unconvinced?
Passwordless solutions have now been around now for some time and have been well tested. This tech really is the dawn of a new day for security that will finally see the end to users having to type in credentials into a browser or a device. Let's finally put an end to long night of password nightmares. It's time to turn a new page.