A Passwordless Future is Getting Closer and Closer

A significant portion of the security vulnerabilities that open the door to cyber attacks, which we encounter with a new one every day, are caused by defective passwords. More than 80% of data breaches that occur today are due to errors in the passwords used. It is estimated that companies allocate more than $1 million a year to support their employees about passwords. According to the Passwords and Efficiency 2021 survey conducted by a technology company in the USA, 60% of office workers who took part in the survey say that difficulties with the passwords they use slow down their works and reduce productivity.

Considering these challenges and the dangers of being hacked, Passwordless Authentication methods eliminate the need for end users to store or create passwords or remember the existing ones. Passwordless authentication, which eliminates the risks with password breaches, both reduces costs and protects the data of users and the company's cloud system. In passwordless authentication, passwords that are likely to be forgotten or captured are replaced by other more secure authentication factors such as biometrics or PINs.

Apple, Google and Microsoft Aim to Remove Passwords

Apple, Google and Microsoft, considered the world's technology giants, intend to join forces to implement their joint plan that standardizes passwordless authentication and therefore passwordless login.

Apple, Google and Microsoft are getting ready to implement the passwordless standards of the FIDO Alliance (Fast Identity Online Alliance), an industry consortium formed to develop new authentication technologies, on Android, Chrome, iOS, macOS, Safari, Windows and Edge devices. Accordingly, it is foreseen that in the near future, you will not need to use passwords for applications, devices and websites, and passwords will be replaced by keys to be paired with devices. It becomes almost impossible to capture keys that are paired according to the standards set by the FIDO Alliance, in which Apple, Google and Microsoft collaborate with each other.

Microsoft's FIDO2-based identification solutions are thought to be more secure, faster and easier than existing passwords or multi-factor authentication methods. Apple, the favorite of technology enthusiasts with its intuitive and capable devices, especially emphasizes that they support a transparent and secure user experience that provides better protection and prevents password vulnerabilities.

These standards are already supported on some Apple, Google and Microsoft devices. However, while he current login method can only be used on a single device at the moment. It is foreseen that it will be possible to log in to more than one device after the first registration once passwordless authentication is fully implemented.

So What's This Passwordless Authentication?

Passwordless authentication is defined as an authentication method that allows the user to access an application or cloud system without entering a password or answering security questions. With passwordless authentication, users do not need to create, store or remember passwords. The user will be able to access any system by means of authentication methods such as a single touch, glance or a code given from the hardware. Passwordless authentication, which meets standards such as Fast Identity Online (FIDO2) and Web Authentication API (WebAuthN), paves the way for passwordless authentication on different platforms.

Passwordless authentication speeds up access to applications and other services, while increasing security and drastically reducing the IT support costs. Passwordless authentication is used in conjunction with solutions such as Multi-Factor Authentication (MFA) to strengthen cybersecurity measures.

The impact of digitalization on the development of today's business world is undeniable. Access to almost all of the applications, which are more involved in business processes with digitalization than ever before, are made through the passwords determined by the user specifically for the application. With the increase in applications, the number of passwords to be memorized also increases. Moreover, it is necessary to change these passwords frequently. Users prefer similar or the same passwords or weak passwords in all applications in order to do their works more practically, to gain speed and sometimes not to forget. Of course, this choice has some consequences. Cyber attackers can turn selection of weak passwords into an advantage in data breaches by methods such as ransomware, malware and phishing.

Preferring simple methods such as a combination of username and password as an authentication method makes the system insecure against cyber attacks. Cyber attackers can capture user information by accessing other accounts through methods such as,

• using credentials leaked from an account
• generating random username/password combinations or using programs to determine commonly used weak passwords
• obtaining credentials by hijacking communication flows
• phishing using fake e-mail or text messages to trick a victim into replying with their credentials,
• installing malware on the computer to capture the user's keyboard keystrokes (Keystroke logging or keylogging)

Passwordless Authentication Reduces Cyber Risks

Passwordless authentication, which eliminates risky password management and takes cybersecurity to the next level, buys users extra time and contributes to their productivity by eliminating problems such as password setting, memorization and frequent change. Passwordless authentication uses methods such as proximity cards, FIDO2 compatible USB devices, physical tokens for authentication. Methods such as software tokens or certificates, fingerprint, voice or retina scanning and mobile phone applications can also be preferred as passwordless authentication techniques.

Passwordless authentication is often used with Single Sign-On (SSO) and MFA solutions. Thanks to the SSO solution, user can access all corporate applications and services using a single proximity card, security token or mobile application. With passwordless authentication, which is also used as a part of the MFA solution, users need to perform an additional authentication such as entering a one-time code or fingerprint scanning when accessing applications or accounts.

Recent MFA solutions support adaptive authentication methods. Accordingly, the authentication method to be used for a specific user in a particular situation is determined according to contextual information such as IP address, device, time and location, and the rules of the institution.

Passwordless Authentication and Privileged Access Management (PAM)

Passwordless authentication offers great advantages for users and institutions in terms of security and efficiency. Privileged accounts are among the critical credentials that enable companies to access their digital infrastructure, and are considered to be the most dangerous vulnerability faced by the companies in the case of being compromised. These accounts, which can turn into both internal and external threats, can cause cyber attackers to damage the IT infrastructure and disable security controls. Therefore, privileged accounts require a transparent and highly visible security control in an auditable environment. At this point, Privileged Access Management (PAM) solutions protect the credentials that users should not know, while guaranteeing cybersecurity with additional security layers such as session monitoring, logging and threat detection.

Services that can access service accounts and servers can be managed by passwordless authentication, if the Privileged Session Manager and Dynamic Password Controller are used together, which are the important modules of Kron’s Privileged Access Management solution Single Connect. Privileged Session Manager allows for managing, monitoring and auditing privileged accounts within the company. Thus, privileged accounts in the system are secured against internal and external threats. In Dynamic Password Controller, another Privileged Access Management solution, all passwords are stored in an encrypted secret safe. With Dynamic Password Controller, unique passwords are automatically generated within the password safe and contributes to the improvement of the Privileged Access Management experience. The usage of the two applications together in an IT infrastructure takes security to a higher level with passwordless authentication and offers a very strong protection shield to privileged accounts, especially against cyber threats such as malware, ransomware and phishing.  

If you intend to keep up with the times and benefit from passwordless authentication technology, you can simply support your IT infrastructure with Single Connect's Privileged Session Manager and Dynamic Password Controller, which provide passwordless authentication, and obtain efficiency with the advantage of high-capacity access and data security. Please do not hesitate to contact us for further information and questions about Single Connect, Privileged Session Manager and Dynamic Password Controller.