Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

5/28/2019
12:00 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail

8 Ways to Authenticate Without Passwords

Passwordless authentication has a shot at becoming more ubiquitous in the next few years. We take a look at where things stand at the moment.
8 of 9

Ping Identity

Ping Identity CISO Robb Reck says the promise of future continuous, risk-based authentication is better security and improved convenience. By using multifactor authentication, Ping Identity can use sensors in people's phones and laptops to continuously authenticate users and allow them to access their resources based on the quality of that ongoing trust. This process only calls for authentication when trust is lost, and then only requests the level of assurance required for the type of transaction the user wants to make.

"The key to a successful end-user experience is providing it regardless of the device the consumers are connecting from," Reck says. "A huge portion of consumer-facing businesses, such as online retail, have moved to the smartphone, so any customer experience initiative needs to consider that platform from the start."

Ping plans to replace passwords with push notifications to mobile devices and offer scannable QR codes, which produce one-time passcodes for users, Reck says. With the PingID mobile SDK, enterprises can balance security and convenience for customers by embedding advanced MFA functionality directly into their own iOS or Android mobile apps. This lets organizations allow their customers to log in with easier methods than having to remember a password.

The same goes for laptops and PCs, Reck adds. Organizations are replacing passwords and supplementing them in the sign-on process to these devices.

"By adding multifactor authentication to processes like Windows login, organizations can either remove password requirements and instead have employees use a friendlier range of mobile push authentication methods, or use those in addition to passwords for a more secure logon process," Reck says. "We're also implementing Windows Hello as an authentication factor in PingID with the same intention."

Image Source: Ping Identity

8 of 9
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
ScottyTheMenace
100%
0%
ScottyTheMenace,
User Rank: Strategist
6/6/2019 | 5:46:08 PM
Touch ID is not passwordless
Not sure if it was your intent to suggest that it was, but Apple's Touch ID is not passwordless.

In iOS, you still have to set a passcode, and it seems to be the passcode that actually unlocks your device. All Touch ID does is use your fingerprint to fill the passcode into the field. (I don't know the technical details to know that's the case, but it sure seems like that's what's happening.) You're also forced to use the passcode seemingly at random (though it's probably time delimited) and to activate Touch ID after a restart.

I love using Touch ID—it's quite convenient—but its dependence on a typed passcode actually encourages users to use weak passcodes that are easily remembered since they'll eventually need to type it in, and typing the passcode* 984ELBMYAq[[email protected]%t5sM+5{j=9AYH__4jqDr on a touch keyboard is not real fun.

 

* Generated just now. Not any of my passwords. C'mon now, do I look that dumb? DON'T ANSWER THAT!
wibblewibble
100%
0%
wibblewibble,
User Rank: Apprentice
5/30/2019 | 7:49:18 AM
SQRL
Don't forget SQRL! https://www.grc.com/sqrl/sqrl.htm
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36192
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
CVE-2020-36193
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...