The Year of Passwordless

By February 11, 2021February 16th, 2021Thoughts

Last year was like no other. A once-in-a-generation pandemic completely upended our normal way of life and doing business, and it only now feels like we can we begin to look back on 2020 with a collective sigh of relief. Still, there’s a lot we can learn from last year (the ways in which technology propped us up during the pandemic and let us down, for example) that can influence and inform what we resolve to do differently in 2021.

One resolution I advocate is to commit to making 2021 “The Year of Passwordless.”

Why Passwordless?

Why passwordless? It’s simple … breaches. In the latest release of Verizon’s Data Breach Investigations Report, over 80% of breaches are caused by credential theft. And successful breaches equate to $$$ — lots of it. Conservative estimates put the total cost of ransomware breaches worldwide at more than $1 billion.

The payout for one ransomware breach increased from $41,000 in the third quarter of 2019 to $233,817 in the same period of 2020.

And it’s no wonder bad actors are attracted to it — it’s easy money. Consider that the payout for one ransomware breach increased from $41,000 in the third quarter of 2019 to $233,817 in the same period of 2020. There’s no sign that the trend is abating, and with the cost of each breach rising significantly, businesses must rethink their identity access management strategy.

How does going passwordless solve this problem? Very simply, if there is no password, there is no password to steal. If there is no password to steal, there is no credential theft and therefore no breach (at least, not using stolen credentials as a vector). The concept of passwordless is to use attributes other than a password to authenticate the user.

If there is no password, there is no password to steal. If there is no password to steal, there is no credential theft and therefore no breach.

The most common methods for passwordless authentication are:

  • Push notification application
  • Biometrics
  • Smart key / token

Microsoft boasts that more than 150 million people already sign in every month using its passwordless feature — a level of adoption so impressive that Microsoft declared 2020 “a breakthrough year for passwordless technology.” Identity providers, such as Okta, are expanding their offerings with passwordless capabilities. And pure play passwordless identity authentication providers, such as Trusona and Beyond Identity, are bringing passwordless to another level with dynamic identity authentication and public key technology and certificates respectively.

In fact, Beyond Identity so believes in passwordless that they’ve launched a campaign to help drive adoption called “Go Passwordless.” The campaign offers its passwordless identity for free to “any company that wants to offer its employees or customers a completely frictionless and fundamentally secure authentication experience.”

Looking Toward the Future

Although passwordless solves the problem of breaches today, there remains the question of whether it will five or ten years from now. Which is why we must change the way we authenticate users and how private data is stored in general to solve this problem once and for all.

As long as there’s a repository for personal/private data, there will always be the risk of a breach. Organizations that host private data are the custodians of that data. What this means, unfortunately, is that users don’t have control of their own data and implicitly trust that their data is being safeguarded properly. If we’re going to fix this, we need a tectonic shift in the way private data is stored. This shift is called “decentralization” or decentralized identity.

If we’re going to fix this, we need a tectonic shift in the way private data is stored. This shift is called ‘decentralization’ or decentralized identity.

Plenty of research is underway exploring the concept of decentralized identity. Microsoft has backed a project called “Identity Overlay Network (ION).” World Wide Web inventor Sir Tim Berners Lee is working on a project called “Solid,” which “aims to radically change the way web applications work today, resulting in true data ownership as well as improved privacy.” These projects are just a sampling of the research and development currently being done to solve identity and privacy issues that are plaguing the web today.

Moving Away from Passwords

Until decentralized identity is mainstream and available as an enterprise solution, we need to accelerate the move away from passwords as the only factor for authentication. Below is a quick list of best practices for those who are still using passwords:

  • Enable multi-factor authentication (MFA). (Microsoft and Google agree that over 99% of account attacks can be blocked with MFA.)
  • Do not reuse passwords.
  • Use a password manager. (The average business user has 190 passwords. Without a password manager, users will absolutely reuse passwords.)
  • Enable passwordless authentication, deploying one or more of these solutions:
    • Passwordless MFA
    • Biometric authentication (Windows Hello for Business)
    • Security keys

We can prevent breaches with these kind of password tools and alternatives. All we need now is the resolve and commitment to do so, ensuring 2021 is “The Year of Passwordless.”

Let’s do this.

Until next month, stay safe everyone.

Thomas Whang

Author Thomas Whang

CTO at Impelix

More posts by Thomas Whang

Leave a Reply