Weak, stolen or reused passwords are the root of 8 in 10 data breaches. Fixing the data breach problem means abandoning passwords for something more secure. But what does passwordless authentication even look like? Yaser Masoudnia, the Senior Director Product Management, Identity Access Management, at LogMeIn* takes us there.
The password problem is still very real. Over 80% of data breaches are caused by weak, reused or stolen passwords1 and IT teams are spending an average of 4 hours per week 2 on password-related issues alone. The obvious resolution to eliminating the password problem is eliminating the password, but what does that really mean? Passwords are the foundational authentication mechanism that have enabled users to gain access to applications for decades, but passwords have their flaws. And when passwords continue to cause such significant frustration and risk, it’s clear that a more secure and easier way to authenticate is a must-have for businesses.
Enter passwordless authentication. Passwordless authentication enables users to securely authenticate into their applications, without having to enter a password. In a business environment, that means employees can authenticate into their work without having to type a password, all while IT teams maintain complete and control across every login.
Is Passwordless Possible?
There are two types of passwordless authentication: eliminating the password from the overall IT infrastructure and eliminating the password from the login experience. While both are possible, passwords will not be completely eliminated from the IT infrastructure any time soon, which is why I encourage organizations to focus on delivering a passwordless login experience. A passwordless login experience means that while passwords may still exist behind the scenes, the employee will not have to manually enter a password during their login.
Passwordless authentication benefits the business on two fronts: first, password-related risks are eliminated. Employees no longer have the option to use and reuse easy-to-remember passwords across their various applications. These weak passwords generate a significant risk as they are the easiest for hackers to crack. 34% of organizations cite lost or stolen password credentials monthly2 so who knows where all those passwords are exposed.
The second benefit is productivity. Passwordless authentication means employees are no longer burdened with having to manually enter a password for every single application they need to get their work done. The average employee uses 36 cloud services at work 3 – that’s a lot of passwords to remember and a lot of time wasted manually typing each and every password in. Passwordless authentication gets employees authenticated into their work faster, in turn eliminating password frustrations and giving employees more time to get their work done.
Making Passwordless Happen
If a password isn’t connecting an employee to their work, then what is? A few examples of passwordless technologies are biometrics, secure protocols and integrations.
Biometrics are physically who you are as an individual. Examples of a biometric include your fingerprint, your face, or even your voice. Biometrics are becoming an increasingly mainstream way to authenticate employees into their work. This form of authentication is becoming so popular in fact that 70% of consumers want the expanded use of biometric authentication into their workplace.4
The main reason why biometrics are rising in popularity is because they provide the simple, seamless user experience employees are looking for. Authenticating with the touch of a fingerprint is much easier than manually typing out a password, and employees do not want added security obstacles that will slow them down.
Biometric authentication is also more secure than a password. Passwords can be easily stolen or mismanaged, and biometrics are unique to the individual themselves. A fingerprint, a face, a voice cannot be replicated by anyone other than the employee themselves. Biometrics as the authentication factor at the user, application and device level can greatly increase the assurance that the employee logging into the resource is who they claim to be, all while delivering a passwordless login experience.
Another example of passwordless technologies are protocols. Protocols are standards that work to facilitate the communication between an identity provider and a service provider. When an employee is authenticated to the identity provider, they are also authenticated into the assigned service providers, without having to enter a password.
An example of this is single sign-on (SSO) which is commonly built with the Security Assertion Markup Language (SAML) protocol. With SSO, when an employee is authenticated to their identity provider, an organization’s SSO will also authenticate the employee into all their assigned applications, or service providers. This means that after the employee is logged in, they will no longer have to enter passwords for all their work – a passwordless experience.
Protocols such as SAML help increase overall security because passwords are eliminated, and the protocol offers a more secure connection than a password alone can provide. And employees are happy, because they can access all their work without having to type additional passwords. It’s a win for both IT and employees.
Integrations in the context of identity and access management (IAM) securely unify two distinct IAM tools to work together. One type of IAM integration is federation, which securely connects an identity provider to a service provider. This differs from a protocol, as the two IAM solutions are integrated together versus communicating to one another via a protocol.
Federation connects an identity provider to a service provider, so once the employee is authenticated into the identity provider, they will also be authenticated into the assigned service providers as a result of the integration. This helps IT teams securely manage the employee throughout their lifecycle, from onboarding to offboarding and across multiple IAM solutions with a unified view.
Because the two IAM technologies are integrated to one other, the secure relationship is established behind the scenes meaning employees will not need to type a separate a password for each. Once logged in, employees will gain access to both integrated resources to maintain a passwordless experience throughout their workday.
The benefits of businesses going passwordless are clear: eliminating the password from the employee login experience results in an improved user experience for your employees – a login that is more seamless and secure than a traditional username and password. Passwordless authentication introduces new ways for your employees to securely log into their work simply and securely, without a password in sight and thus eliminates account reset, password reset requests, and the manual password rotation process.
Going passwordless helps organizations achieve increased productivity amongst employees, reduced IT costs, and stronger security. However, keep in mind, passwords are still the most prevalent method of authentication and are not going away any time soon. That’s why organizations should couple a passwordless login experience for employees along with enterprise password management for every password that is still in use, to secure every access point while delivering a seamless login experience.
(*) Disclosure: This contributed article is sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.