The time is right to embrace passwordless authentication

Secret Double Octopus CSO and Co-Founder Shimrit Tzur-David discusses why the days of user-controlled passwords are over.
17 June 2021

Apple, Google, Microsoft is forging a passwordless future together.

  • Passwordless authentication makes users’ lives easier and continued remote working could be the catalyst
  • Password-free approval can mean there’s no need to have a conditional step-up; it’s always at a maximum security

Passwordless authentication is not a new idea. In 2004, Bill Gates told the RSA Security Conference that “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.” 2004 was the year Facebook started up, YouTube came a year later, Twitter in 2006, and Apple launched the iPhone in 2007.

Gates was talking about passwordless access at a time before the ransomware was something every company needed to be aware of and before cloud was a ‘thing’. Situational change on a wider scale can also be a trigger to take a new approach, and it is no exaggeration to say that we’re going through the biggest situational change since the Second World War.

Organizations have learned to accommodate remote and flexible working because they’ve had to, not because they’ve chosen to. With that change has come the need for them to reconfigure their ‘safety perimeter’ to include user-owned computers and communications networks that don’t have the same level of security protection as corporate equipment.

Embracing the passwordless authentication

Google took an important step recently on World Password Day by saying that “very soon” they will automatically enroll users with multifactor authentication – something they are calling two-step verification (2SV) – a move security researchers say is a step in the right direction. Google’s director of product management Mark Risher pointed out that two-thirds (66%) of Americans admit to using the same password across multiple sites, which makes all those accounts vulnerable if anyone is compromised.

Secret Double Octopus CSO and Co-Founder Shimrit Tzur-David, however, in a recent interview with Tech Wire Asia, believes that “with a good passwordless solution, there’s no need for 2FA/2SV – the second (or third) authentication factor is always at play since it’s built into the system. There are always multiple factors involved since they represent zero friction for the user, unlike previous technologies that were conditionally deployed based on the risk assessment. With passwordless there’s no need to have a conditional step-up; it’s always at maximum security.”

She believes passwords are complicated, and complication hurts security. “In order to be secure, you need to have complicated passwords, you have to renew them often, and you need to make sure they’re not shared or repeated between accounts. You have to make sure they’re not leaked and after all that you need to help users reset those complicated passwords because they forget them and are not allowed to write them down,” Shimrit reiterated.

The bottom line Shimrit said is that more than 80% of corporate data breaches start with compromised credentials, and anywhere between 40%-60% of helpdesk calls are somehow connected to user passwords. “In a way, passwords are not the real issue, people are [users and hackers] – but in any case, the days of user-controlled passwords are over,” she added.

When it comes to the rise of remote working, Shimrit said she had seen a huge increase in social engineering attempts, including phishing, which he said is much easier now that employees aren’t receiving the same level of training and oversight that they once had at the office. “Employees at all levels need constant access to files, networks, and IT management assets to allow business continuity while working from home, which makes the organization’s security that much more vulnerable to cyberattacks. Many security procedures and monitoring tools rely on metadata and behavioral data which is skewed now that most work is remote, and if employees compromise their accounts by divulging passwords it can be much harder to discover.”

Additionally, she urges a pressing need for remote helpdesk assistance which opens up another attack surface, and of course the reliance on personal wifi networks and end-devices that are not under the corporate security umbrella. “All of these require a modern security approach built on better identity and authentication methods that are immune to today’s common attacks,” she told TWA.

For organizations considering a passwordless strategy 

Shimrit reckons it really starts with good planning – “Knowing your IT infrastructure and security and operational needs. Clear priorities are also key – organizations tend to eliminate passwords from the most sensitive systems first.” Another good starting point she shared is accounts shared by multiple employees, for example, those in administrative roles. 

She emphasized that getting good advice is crucial as enterprise authentication experts can help us decide how and where to start the transition to passwordless and lead us on the path to full passwordless authentication across the enterprise, for all users and systems.

In terms of how passwordless work to reduce security threats and save costs for a business, Shimrit said it goes hand in hand, not only because good security minimizes the risk of extremely costly attacks, but also since simple and fast security measures make the entire organization more agile and efficient. 

A majority of data breaches begin with leaked or compromised passwords, according to her. For a more secure and quicker process, Shimrit said users need one authenticator to access everything, leading to less authentication friction for all accounts and devices. “This all leads to a lower bottom line in terms of the total cost of ownership compared to today’s standard of many different MFA methods deployed across the domain,” she added.