Will Password Elimination Solve Your Security Problems?
Password proliferation has become a problem for both individuals and businesses. Most people have so many different passwords for both work and home that they frequently forget and have to reset them. To eliminate changing them so often, some people even scribble them on sticky notes or they use the same password over and over just to make things simpler.
While most cyberattacks begin with a phishing email, they don’t get very far until their phishing expedition has yielded a weak or a stolen password. According to Verizon, more than 80% of attacks stem from password problems. While approaches may vary, the prize is usually the same: Criminals want credentials, and, once they have them, the world (or, at least, your clients’ networks) is their oyster.
That’s why a number of companies (including Google and Microsoft) are trying to point their customers in the direction of a password-less future. They are turning to multifactor authentication (MFA) and other approaches to provide a more secure means of accessing data and applications.
FIDO takes a bite out of password dependence The Fast Identity Online (FIDO) standard, now in its second iteration, has emerged as one way forward. Both Google and Microsoft have embraced FIDO-based solutions to the password problem. FIDO provides a way to register a device or an application, and then use a PIN, fingerprint, facial image or other supported methods for logging in.
Google employees, for example, now use YubiKeys with embedded chips that connect to a device without a password. Microsoft has internally launched Windows Hello for Business and the Authenticator app for MFA sign-ons.
Windows Hello provides biometric authentication in Windows 10 using fingerprints or facial recognition. The latest version of Microsoft Authenticator replaces the password using MFA for logging in to multiple applications with a combination of facial recognition, fingerprint scanning or a PIN. The company claims this can reduce password compromise risk by nearly 99.9%.
The FIDO 2.0 standard now includes an advanced web authentication protocol and the Client to Authenticator Protocol (CTAP) for creating links between a mobile phone or security key and a client device.
Are we entering a password-free era?
There are some in the industry that believe the latest FIDO advancements signal the end of passwords. In a recent interview, Alex Simons, vice president of program management at Microsoft, said, “We’re at the point now where I feel really confident that we can declare the beginning to the end of the era of passwords. Within 120 days or so, there will be no reason why you should need to use a password with any Microsoft-connected application ever again.”