Go to search feature Go to content

Going passwordless – the journey to a future-proof digital identity

Illustration of eye with padlock

This time I will write about passwords and why we need to get away from them and how. What I am referring to is the risk we have with passwords and the risk that they may be misused.  

The risk we have today 

Even with a strict password policy, it becomes difficult to guarantee that passwords are strong. It becomes even more complex since user-IDs have different purposes, needs and permissions. The most common passwords we have are cracked in a few seconds.  

Today, there are simple programs that with extreme efficiency can run through combinations against password-protected identities to get hits. A username and password that is compromised is the starting point for staging a cyberattack. Let's say that the username and password have high privileges and administrative rights, which means an increased risk for the cyber-attack to elevate access to high value targets like core systems, directory service etc. 

All this takes place in "silence" so that the cybercriminal will not be discovered. The aim of the attack may be to make it impossible for the users to log in to systems or applications, to block access to data files , to make it impossible to send or receive emails, or to corrupt backup data.   

It is only at the very last step that the victim becomes aware that a cyberattack and intrusion has taken place. This whole incident started with a weak password ending up in the wrong hands. 

Passwordless identification and the way to a resource 

We must always protect an identity and way to a resource using a modern and strong authentication. A resource can be a Cloud service, an application (SaaS or on-premise), access emails or documents. This is a fundamentally important approach to protect the identity as well as the device used for the login. 

With passwordless authentication, there are a variety of methods used to verify and authenticate without relying on passwords. 

  • Two factor authentications: Authentication requirements based on items or factors the user uniquely possesses could come in the form of a managed mobile device, a hardware token, or a one-time password generator. In each of these cases, the user has a unique device or authentication tool that provides access. 
  • Unique encrypted PIN code: Another passwordless authentication method involves factors that the user uniquely knows. This method most often comes in the form of security questions that only a user should know the answers to. While convenient for users, this method is reliant on the user being the only one knowing the answers for a successful login. 
  • Always Verify: A third method for passwordless authentication involves the unique physical or behavioural characteristics of a user. This method most often comes in the form of biometric technology, which for example uses facial or fingerprint recognition to grant access. 

 It is very important that the passwordless authentication doesn't roam over networks or among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on that device. 

Biometric authentication and the advantages  

The journey from traditional password to passwordless must be carefully planned. It is about a concept and not a product. It will affect the whole organization, the way of working and the transition to new technology capabilities. It takes time and must be carefully mapped based on the needs that exist. E.g., there is a difference between a regular user and an administrator with high-level permissions. As we will likely continue to work in a hybrid environment and combine work from the office with work from home, all user characteristics must be taken care of in passwordless authentication. Another important aspect is to ensure a consistent identity throughout the process, no matter where applications are located - be it on-premise, SaaS or Cloud.  

Biometric authentication provides the following advantages: 

  • Increased Security: Using biometrics is a very strong and secure passwordless authentication method. This is because it is based on unique characteristics a person possesses, rather than something a person knows. Biometrics also commonly feature liveness detection, which determines whether a user is a real person, and not a fake attempt by someone trying to gain access using a photo, video, or a mask. All combined, biometric technology makes it much more difficult for a cybercriminal or internal attempt to bypass security measures and gain access to an application or system fraudulently. 
  • Improved User Experience: Biometric technology also provides a more convenient, frictionless user experience. Biometric authentication takes place in seconds, with fingerprint or face recognition. Biometrics also eliminate the need for remembering passwords or retaining unique hardware tokens. 
  • Lower Cost: By going passwordless, there is ultimately no need for password resets. Application developers must no longer develop and maintain the workflows needed to provide password-based authentication. Support centres will see a decline in the number of user-ID and password reset tasks.  

Will everything be passwordless? 

Everything will not be passwordless. There will always be challenges with passwordless authentication. The biggest problem is legacy applications that can't support modern authentication, such as biometrics. Therefore, it is important to work with a risk-based approach. Prioritize and focus on high-risk accounts and applications.  

Has your password leaked?

To safely check whether your password or personal data has leaked, you can check it here: 

Ulf Larsson
Group Chief Security Architect 

Ulf Larsson

Group Chief Security Architect 

Ulf Larsson