Last year, in a time before lockdown, a couple members of our team went to a Kansas City IAM Meetup. One of the first facts on our presenters’ screen said:

2 of 5 people have had their password hacked

Another recent article on our radar highlighted that hundreds of thousands of people are using passwords that have already been hacked.

Passwords have traditionally been a standard authentication tool, but over time, their flaws have become more apparent. Often, users will create easy to guess passwords, and will use the same password across multiple platforms.

Another factor at play: Hackers have become better at cracking passwords over time as well. By using methods including utilizing special-built hardware designed for password cracking, implementing botnets that try different login and password combos using credentials stolen from other sites, or even hiring out the attacking to other experts, “most attackers will usually crack 80 to 90 percent [of passwords] in less than 24 hours.”

Is the authentication landscape just all doom and gloom? What hope is there when our most recognized form of security isn’t as secure as we thought? Our friends at the Kansas City IAM Meetup brought forth some solutions that mirror some of our Identity and Access Management philosophies. A big focus was on passwordless authentication. In our continued effort to help you Level Up Your Identity Program this month, let’s take a closer look at passwordless authentication.

The Low Down on Passwordless Authentication

There are many ways to provide authentication without a password. The subject of the recent meetup we attended was FIDO2.

FIDO2 is a joint effort between the FIDO Alliance and the World Wide Web Consortium. It’s the overarching term for this partnership’s newest set of specifications to move the world beyond passwords.

The FIDO (“Fast IDentity Online”) Alliance supports many password alternates. We’re going to run through a couple examples today.

Biometric Authentication

Biometric authentication methods include things like fingerprint, voice, and facial recognition. These methods have gained prominence in mainstream applications due to their implementation in smartphones, for one example.

A recent article in the Wall Street Journal highlights some of the benefits of biometric authentication in financial institutions, which have increasingly implemented voice recognition software to confirm the identity of users, but there have been other concerns raised on the risks associated with reliance on biometrics alone.

In order to alleviate some of the concerns surrounding biometrics, it is advised to use biometric authentication as a part of two-factor authentication in your organization, which pairs multiple authentication methods, like biometrics with, for example, security tokens.

Security Tokens

A security token is a physical device used to gain access to an electronically restricted resource. Security tokens can by utilized through a physical connection to a device by way of a USB port or smart card reader, among other examples. Security tokens may also be utilized through disconnected tokens that do not involve an input device. These disconnected tokens may have a screen that the user must then enter via keyboard or keypad.

Again, it is advised that security tokens are used as part of established two-factor authentication implementation within your organization.

The Future of Passwordless Authentication

The FIDO alliance has grown rapidly since its inception in 2013. It now includes more than 260 member organizations, including Amazon, Bank of America, Google, Intel, and Microsoft, among others.

As the FIDO Alliance continues to pursue its mission to develop and promote authentication standards that help reduce the world’s over-reliance on passwords, we can expect passwordless authentication solutions to become more refined, and to see more organizations adopt passwordless authentication solutions.

It can be overwhelming to keep up with these updated standards and procedures to keep your organization secure. We’re dedicated to helping you find the right solution for your business the first time.

If you would like to discuss how to keep your organization more secure through Identity and Access Management and the implementation of passwordless authentication, let’s take some time to connect. Fill out the form below, and one of our IAM experts will reach out to answer any questions, and discuss ways we can help you Level Up Your Identity Program.