Passwords bring along with them a host of management, resource, and security concerns that cost enterprises time and money.
It doesn't have to be that way. By embracing a passwordless approach, it's possible to mitigate those concerns, reduce risks, and improve productivity. The passwordless model is not a hypothetical future, either; it's a pragmatic, standards-based model that organizations can start to move toward with assets they already own.
Passwords are a relic of a pre-Internet era, when computers didn't talk to other computers. In the highly connected modern world, passwords are no longer the only way to authenticate users.
The Problems With Passwords
Whether it's via a data dump of stolen passwords or a script kiddie tool, there is no shortage of easy-to-use methods for attackers to benefit from passwords. Phishing attacks that steal user passwords are still the most common path to a data breach according to many different reports, including the Verizon "Data Breach Investigations Report" (DBIR).
Thanks to passwords, attackers don't need to be genius hacker criminal masterminds to gain unauthorized malicious access to accounts, sites, and services.
With passwordless approaches, attacks such as “man-in-the-middle" are ineffective because there is no password or shared secret to steal. The passwordless approach literally eliminates an entire class of vulnerabilities that lead to the majority of data breaches. This also helps with IT operational costs.
What Passwordless Is All About
The intent of passwordless is to verify the user with the highest level of trust and the least amount of friction.
In the past, the primary authentication was always something you know, which was the password. The secondary authentication in a multifactor authentication approach was a combination of either biometrics (something the user is) or something the user has (such as a physical device or token).
With passwordless, the "something you know" is eliminated because asking the end user to remember stuff is a hard thing, and remembering those shared secrets for a very large set of applications is even harder. With passwordless, there is a combination of something you have, which is mostly your phone or your laptop, and something you are, which is a biometric.
Thepasswordless approach also fits into the emerging zero-trust network access (ZTNA) model. With zero trust, everything needs to be verified before a user is granted access to resources. Instead of needing a password to verify access, passwordless provides an alternative approach.
Why Now Is the Right Time for a Passwordless Model
Before relatively recently, the IT ecosystem simply was not ready for a passwordless model. Until recently, to enable biometrics, users needed to have a third-party dongle, and getting it to work with a Web browser was often a non-starter.
That has all changed in recent years, thanks in part to the efforts of the FIDO Alliance, where Cisco is a founding member. The FIDO Alliance has been working for years on standards that enable strong authentication, which have culminated in the W3C WebAuthn specification.
With a standards-based approach, operating system and browser vendors — including Google, Microsoft, and Apple — have come together with industry partners to enable a broad ecosystem that supports strong authentication. Literally billions of devices that are in the market today are able to support WebAuthn, which is a cornerstone of helping to enable the passwordless future.
The Path to Passwordless
At Cisco, we have been doing a lot of research around understanding how organizations want to enable passwordless. The biggest challenge they have is that there is already an existing workflow with existing infrastructure.
For passwordless to be successful, it needs to be a continuation of whatever organizations already have, whether it is desktop or mobile hardware, single sign-on (SSO), or an existing identity provider (IdP). The modern workforce is using dozens of SaaS applications and needs an easy way to log in — passwordless with SSO is where the biggest value is found as a first step. This is the case because many organizations have already federated many applications behind their SSO solution. By enabling passwordless authentication to the SSO portal, companies can effectively extend passwordless to every federated application.
The way it can work is when the user is enrolled in passwordless, they choose what authenticator they want to use. Every user already has either a macOS, Windows system, or a mobile phone. All those systems can act as an authenticator today and can help to enable the passwordless model. Once the user has enrolled the authenticator, there is no password that is needed anymore to gain access.
Reducing the reliance on passwords is about meeting enterprises where they are instead of asking them to replace what they already have deployed.
Lost or stolen passwords, the need to reset passwords, users not wanting to carry a separate dongle for authentication — those are all friction elements to enabling a workforce to be productive. While security is a key benefit of passwordless, productivity could well be an even bigger benefit as users get a smoother, frictionless path to getting access to what they need.
The compliance industry needs to evolve to audit organizations for outcomes (for example: Is the user’s identity properly verified for trust?) instead of checking for specific controls. We are designing our solution so that organizations can still pass all PCI, HIPAA, and other audits even after going fully passwordless.
Passwordless is a practical approach that can deliver real benefits to organizations today.
About the Author
Ash Devata is General Manager of Cisco Zero Trust, the most comprehensive platform to secure access for any user, from any device, to any IT application or environment. In his role, Ash leads product strategy, engineering, design, and operations functions for zero-trust products within Cisco’s broader security portfolio. Previously, Ash led product and go-to-market strategy for Duo Security, growing it into a global business. Before Duo, Ash managed the enterprise solutions portfolio at RSA, and has helped build and launch more than a dozen cybersecurity products at RSA, EMC, and Cisco in the last 10 years.