If the physical perimeter and the network perimeter are connected to infrastructure, the identity perimeter is focused on the individuals, the end-users.
Over time, there has been a pivot in cybersecurity to increase focus on endpoint security. It is no longer enough that an organization’s systems and network are protected; the individuals who have access to the infrastructure and software must themselves not be vulnerable.
To take the term ‘identity security’ strictly, the only authentication model that verifies a person’s identity is inherence-based, which includes all biometrics solutions. However, consider identity security to loosely mean authentication in general here. And this article explores the failure of password-based authentication systems to meet up the cybersecurity needs of today’s highly innovative work environment.
Cybersecurity and the Changing Work Environment
In a hybrid work environment, of which there are many today, implementing cybersecurity policies across the board requires custom solutions for each category of employees. Because of the inevitable variety of protection protocols, there needs to be more emphasis on identity security. After all, securing employees is securing the organization.
The most effective way to protect system resources is to establish secure and verifiable access to them. Unfortunately, one key technology that we have relied on over the years is progressively collapsing: password authentication.
The failure of password authentication is that it does not establish trust reliably. Passwords can be lost, stolen, breached, etc. and so leave the system completely vulnerable. For securing high-value assets, passwords simply don’t cut it.
One of the major findings of Ponemon Institute’s The 2020 State of Password and Authentication Security Behaviours Report is that “Given the complexities of securing a modern, mobile workforce, organizations struggle to find simple, yet effective ways of protecting employee access to corporate accounts.”
Most businesses use shared passwords, relying mostly on human memory and physical notes to save passwords. Of course, many use password managers. But that’s beside the point, which is that passwords make identity authentication cumbersome and they are not sustainable.
Hence, the shift to passwordless authentication. Current models of authentication are mostly knowledge-based (passwords, PINs, patterns, etc.) However, in light of the changing nature of work, businesses are beginning to pay more attention to inherence-based and possession-based tactics.
Priorities for Implementing a Passwordless Solution
According to the 2021 Cybersecurity Insiders Passwordless Authentication report, the most cited deciding factors in implementing passwordless authentication are ‘ease of use’ and ‘ease of integration’, each selected by 76% of respondents.
One of the key priorities in authentication is to make the process seamless without sacrificing security. And even though everyone is used to passwords, they are not quite easy to use when compared with biometrics, say, fingerprint and Face ID authentication on smartphones. Passwordless authentication streamlines the user experience.
But the greatest benefit of passwordless authentication is improved security. Knowledge-based authentication solutions are often the target of phishing incidents, which have risen sharply since the pandemic started. Without passwords, there’s nothing for attackers to phish, and that’s one major cybersecurity problem solved.
Methods to Strengthen Identity Security
- Multi-factor authentication: The argument against passwords is too compelling to stick with them. But even if passwords cannot be eliminated, adopting multi-factor authentication can help upgrade your cybersecurity, and more so, even deliver a passwordless experience.
- Risk-based authentication: RBA uses behavioural biometrics to determine login context before granting or denying access. Also, access is granted based on the least privilege principle to limit the possibility of serious compromise.
- Continuous authentication: another method that utilizes behavioural biometrics. Continuous authentication analyzes user behaviour during a session to detect compromise. It could be used to prevent attacks through session hijacks.
- Security tokens: either hardware or software tokens can be implemented alongside passwords to establish two-factor authentication. When using hardware tokens though, ensuring FIDO compliance is very important.
- Biometrics: as mentioned already, biometrics authentication is the only means to truly verify one’s identity. But even that can be bypassed in special cases. Hence, it is used in combination with another method.
Organizations need to do much better with identity and access management. Research from the Identity Defined Security Alliance (IDSA) reveals that only 26% of enterprises are confident in their capacity to thwart identity breaches even while 94% of them have experienced an identity-related breach.
According to the World Economic Forum, the building blocks of a futureproof authentication framework are security, privacy, sustainability, inclusiveness, scalability, and user experience. Passwords have failed to meet these standards and organizations must now look to more secure alternatives to strengthen identity security in the new normal of work.