Whitepaper

The Future is Passwordless. If you do it right.

Passwordless authentication has become a popular topic. Given the security risks and inconvenience of using passwords, many organizations are looking to completely eliminate and replace passwords with more secure authentication methods. As credential theft and ransomware attacks continue to rise, the logical step is to move away from passwords. Done right, it increases both security and convenience. However, with the device becoming a central factor in secure passwordless authentication, device trust is essential and must be incorporated into the security posture of any organization. Only then will passwordless authentication deliver to the expectation and become a cornerstone of zero trust approaches.

Martin Kuppinger

mk@kuppingercole.com

Alejandro Leal

al@kuppingercole.com

Commissioned by BEYOND IDENTITY

1 Introduction

In 1961, MIT was one of the cradles of computing activity and innovation in the world. It was around this time that computer scientists developed the Compatible Time-Sharing System (CTSS), an operating system for multiple users that employed separate consoles to access a shared mainframe and required users to use passwords to secure and access private files.

By developing a system that requested users to verify their identities, the birth of passwords introduced the concept of login and authentication in the digital world. However, only a few months passed between the first password use and the first password compromise.

Following the creation of the CTSS, a software bug infected the system's master password file and made everyone's passwords available to anyone who logged into the system. This breach demonstrated that the first passwords were not designed to provide security for the system but were instead created to keep track of how much time was spent on shared mainframe computers.

While digital identity and authentication have undergone a number of changes since the early days, passwords have remained largely the same. Passwords are a remnant of a time before hacking became a serious and widespread problem. No one could have predicted back then that one day organizations and personal lives would be highly conducted and dependent on cyberspace. As computers became more easily accessible, hackers targeting operating systems increased in frequency, intensity, and sophistication.

Consequently, the IT security community has been looking to replace passwords with alternative methods and more secure solutions. However, many enterprises and individuals still rely on passwords despite the risks and vulnerabilities they present. In 2021, for instance, the Verizon Data Breach Investigations Report revealed that 89% of web application breaches were caused by passwords, either through stolen credentials or brute force attacks.

Although credential theft and password-based attacks continue to increase, many implementations of alternative solutions, including biometrics, magic links and smartcards still frequently use passwords as a backup for these methods. As long as passwords continue to be used, users will remain vulnerable to attacks. Traditional multi-factor authentication (MFA) does not solve the problem either because it usually relies on a password as the first factor while also adding friction to the authentication process. One-time passwords, push notifications, and other 2nd factors of authentication can be bypassed by attackers more easily than most think, thus putting current MFA solutions at risk.

In order to successfully implement a passwordless solution, it is necessary to remove the password for all aspects of the authentication flow and from the recover process as well. As a consequence, eliminating passwords will add a significant layer to the overall security posture of an organization and increase security and convenience at the same time.

Beyond Identity offers a passwordless MFA solution, which entirely eliminates passwords by using asymmetric cryptography and biometrics while providing a frictionless experience to the user. By protecting the device from password-based attacks, Beyond Identity's MFA is invisible and unphisable. Phishing-resistant authentication refers to processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system. Thus, the solution does not only get rid of passwords and one-time codes, but also enforces device trust and lays the foundation for a zero trust security architecture.

To conclude, migrating from legacy MFA solutions to passwordless MFA products might make all the difference between surviving in a rapidly changing world of working from home, avoiding the harsh penalties of compliance regulations, and defending your organizations from phishing and ransomware attacks.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.