Passwordless
As promised passwordless authentication or “passwordlessness”. I think I may have made that word up – but it conveys nicely what I want to say here.
Passwords were the best security people could think of back in pre-history – spies and governments have used them forever – they were what we had when computers, networks and then the internet started up, but are they what we need today for good security?
The password is where cyber security meets the user and it is the user that can compromise password security. Two of the main user issues are using a password that is too simple or reusing the same password across multiple systems.
I have written about both of these issues before here and here.
Passwordless
If passwords are a weak link in our cyber security then let’s get rid of them and that is what the FIDO* Alliance, and some of the biggest names in technology, including Microsoft, Google and Apple, are working towards – passwordless authentication. (Glavin. 2022)
What is it?
Passwordless authentication works by using public/private key cryptography to create a link/token between the online service and the user’s device at the time of registration. When the user wants to log in, their device is challenged to prove it is in possession of the token previously created. This proof of possession, through an app, is usually accomplished through a local security action such as a PIN, face recognition, finger print, voice or gesture recognition etc. No password is required.
The protocols that control these processes are designed to be secure from the ground up, no sharing of information between services, no tracking and no biometric data ever leaving the device.
It sounds more complicated than it is – services that offer passwordless operations usually have very good step through processes to set it up – just have your smartphone to hand.
I have set passwordless authentication up for myself on all the the services I use that offer it.
We are also implementing it across our company, as we go through some Q1 changes and upgrades to our infrastructure. Company change is a good time to roll out this type of simple-to-the-user security upgrade to your people.
A Third Problem Solved
There is a third issue that passwordlessness addresses for organisations… and I will write about that next week.
Clive Catton MSc (Cyber Security) – by-line and other articles
* FIDO = Fast Identity Online
References
Glavin, L. (2022). Apple, Google and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign-ins. FIDO Alliance. Retrieved January 25, 2023, from https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/
Futher Reading
Let’s talk about passwords again. Complexity is king.
What is Credential Stuffing and why is it a problem for you?
Are your passwords on this list?
Then there are the password banks that promise to look after your passwords:
LastPass now admit that the hackers copied the user password files