It has been a continuous conversation over the past several years, and one that is gaining further momentum with each reported data breach—when, or should, banks shift to passwordless authentication? It is a well-known fact that consumers often use weak and recycled credentials for accessing their sensitive and essential information.
“Most of today’s passwords do not meet the challenge of anything that needs to be secure,” said Bill Gates during a RSA Security Conference nearly 20 years ago. Each year, organizations of all sizes allot substantial amounts of funding for IT support, almost half of which account for forgotten password assistance. And this assistance has been increasingly necessary, as COVID forced the world into transacting almost entirely digital over the course of two years.
According to a 2021 white paper published by “Entrust Datacard,” approximately 80 percent of today’s data infringement events are the result of compromised passwords. So, as consumers are becoming more familiar and comfortable with biometric authentication (think of CLEAR at airports and sports stadiums), it is worth considering what a completely passwordless ecosystem would look like.
As with many innovative ideas and technologies, industry leaders recommend a phased and/or layered approach to the introduction of going passwordless. Here are some avenues for getting there:
Cultivate an implementation plan that exhibits the biggest impact. Normally this is identified against IT resources and time and money spent to support forgotten credentials or recognizing fraudulent account takeover attempts to gain access to business data or personal credentials. Reducing the reliance on passwords as the only method for authentication will lower the abilities of credential thieves.
Develop trusted authentication practices that are based on geo-location triggers, unusual behaviors, transactional timestamping, and remote device authentication that builds comfort in the use of two-step multifactor authentication (MFA).
Reduce vulnerabilities by migrating from a centralized data repository to a decentralized storage source that employs biometrics credential storage, split source authentication, and device identification methods that reduce support costs and point to internal efficiencies across several support vectors.
Single Sign-On (SSO) credentialing is a major thread in a passwordless ecosystem and establishes trust between an application and service provider, which share data tokens for verification. A well-employed SSO solution authenticates users and their devices with a one-time user registration, excluding the need for re-enlisting credentials device by device and app by app and creates a solution that is frictionless and secure.
Leveraging authentication options that support biometrics or provide for Fast IDentity Online (FIDO) protocols are options to consider for passwordless migration. Realistically, these considerations do not totally reduce passwords but they lessen the reliance on these standard credentials for access and authentication.
Choosing the right passwordless authentication solution is definitely environment-driven. But, the potential to migrate to this approach can reduce or remove challenges with password hacking.
This would include “credential stuffing” (the act of asserting and testing login information from one site to access another), “man-in-the-middle attacks” (a scheme that allows attackers to eavesdrop on the communication between two targets), and “phishing attacks” (a practice of sending emails or other messages posing as trustworthy sources in order to capture individual’s personal information).
A decentralized methodology to credential storage and information management means that you can improve the user experience while managing internal support efforts and related costs.