Frequent changes and long combinations of letters, numbers, and special characters play a vital role in password security and are mainstays to organizational log-ins and system access. But alphanumeric passwords are far from impervious to being cracked by unauthorized users, no matter how many zeros and underscores and asterisks get thrown into the mix. Malware that tracks keystrokes could be installed on a device. Cyber attackers can use so-called “brute force” programs to autogenerate combinations and potentially crack weaker password combinations. Unauthorized users may be duped into sharing credentials via a phishing expedition, and that log in could be shared more broadly among unauthorized users (there’s even a term for that, password spraying.) All of these scenarios make the exercise of coming up with yet another multicharacter combination essentially useless and can lead to serious cybersecurity complications. The World Economic Forum estimated that 80% of cyberattacks are password related.
There’s also the time spent by your organization’s information technology team helping employees who have accidentally locked themselves out of an account. The combination of internal resources spent on passwords and the vulnerabilities to using text for passwords have led to increasing interest in using passwordless authentication. What follows are some key points to know about the trend including how it may help your organization with user identity and access management strategy.
What is Passwordless Authentication?
The benefits to passwordless authentication are simple to recognize: the log in can’t be compromised from a phishing scheme, IT teams spend significantly less time helping network users maintain their passwords, and users don’t need to come up with 10-plus digit combinations multiple times per year. It can be much easier for your organization, providing the technology is there to support it.
Touch IDs, retina scans and face-recognition software are commonplace on cellphones. Your run-of-the-mill work computer and work station is much less likely to have that functionality in place today. Windows and Apple have personal computers with some of that functionality baked in – the Windows Hello and fingerprint option on MacOS, respectively, but that would likely take a significant investment to become the norm in most workplaces. Microsoft’s Azure Active Directory takes the biometric input from a retina scan or fingerprint idea and creates a passwordless authentication behind it.
Not all passwordless authentication requires biometric inputs, however, which may make the concept of moving to passwordless authentication more appealing. Software solutions are seizing the idea of cryptography to provide authorized users seamless and secure access without two-factor authentication of today. New standards are developing to support this concept, including Web Authentication API or WebAuthn and Fast Identity Online (FIDO2). Crytographic-based passwords have the advantage of being used across multiple devices and platforms.
Is Passwordless Authentication Right for My Organization?
Passwordless authentication is an emerging concept for the business information security protocols, but the concept is worth monitoring. Most organizations may be comfortable with their current multifactor authentication protocol, which typically involves some combination of alphanumeric passwords and SMS or even smartphone-facilitated facial identification. But you may want to keep in mind your organization’s time spent on password related IT tickets and help desk calls. Convoluted multifactor authentication methods are also not user friendly and may be causing delays or at least aggravation for employees trying to quickly accomplish a basic work task.
The concept of moving to passwordless authentication may also be more appealing if your organization has had information security related incidents that involved a compromised password. The more the technology to support passwordless authentication develops, the less likely it may be that the idea of adopting it is relegated to a future “one day maybe” state.
For More Information
For more information about best practices in information security protocol, please contact us.
Copyright © 2021, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).