The password is dead. I know it’s true because I read it on Facebook.
The social media giant announced plans to replace static passwords with something more secure and easier to recover for their users. The headline value of this announcement is worth a thousand blogs.
But stepping back for just a moment, you realize they have tapped into the zeitgeist of the moment. There is a general stampede away from easily-guessable, oft-breached passwords towards…well, let’s discuss that.
The password is under siege. The latest Verizon Data Breach Investigations Report attributes over 80 percent of breaches to weak, stolen or compromised passwords.
This is surprising to absolutely nobody … you don’t even need to work in information security or IT to know this.
But until now, the conventional wisdom has been that to go beyond the password, you had to move to two-factor authentication, or 2FA. This is the something you know and something you have, for years represented by those clumsy hardware key fob tokens.
Later, multi-factor authentication, or MFA, came into play. MFA upped the game by adding more choices and a something you are, like a biometric.
Still the problems persisted. 2FA and MFA weren’t user-friendly and still burdened the user. Provisioning can take months or years. The human element—user-generated passwords or PINs forming one of the factors—means that your organization is still exposed.
What does the passwordless future look like?
For starters, it’s one where the user-generated password is finally retired. Secure-password-vaulting technologies can randomly generate complex passwords—80 or more character passwords, encrypt them, store them, and securely pass them to applications that request them. This is perfect for all those legacy/traditional apps. And this is just a starting point.
Next, bring in the analytics. Let’s face it, nation state actors have more money and people. They are too sophisticated and too persistent to give up when it’s your critical intellectual property that is their quarry.
You need analytics, i.e. artificial intelligence, that take into account a wide range of factors about your user— their geolocation, IP address, known device, browser type, and more. Sophisticated AI can then make the real-time calculations and risk assessments to determine authorized user from a potential hacker/robot.
Finally, you will need additional authentication methods. When the analytics tell you something naughty is afoot, you will need to fall back on your identity-assurance strategy. This is where you introduce a variety of easily accessible but hard-to-spoof authentication methods to users.
One example is asking the user to do a fingerprint biometric on their PC laptop. Doing so, finally brings together all the elements of a passwordless future—no user-generated passwords, analytics that work behind the scenes to calculate the risk of each authentication event, and a fall back to strong but easily- accessible and user-friendly authentication methods.
Following this path puts the cyber workload of an access-related hack into encryption-level-entropy territory. Put another way, only your authorized users are getting in.
Just as the announcement of the Apple iPhone 5s with Touch ID changed the conversation around biometrics and ease of use, Facebook has now “socialized” (pun intended) the idea of a world without passwords.
It’s a bold world that will be full of missteps and uncertainty, but one with an upward trajectory of promise to move away us away from the single biggest factor in breaches. And that’s something I can “Like.”
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.