We hear it all the time: “Humans are the weakest link in cybersecurity”. Unfortunately, this contemptuous characterization of human nature is deeply ingrained in the industry. While human error is still the driving force behind a number of security breaches and incidents, the modern cybersecurity landscape has become too broad and sophisticated to be managed by individuals alone. By modernizing and implementing the right tools, however, we may be able to reduce and improve the impact of the human factor on cybersecurity.
The Alternative? Passwordless Authentication
Security could be dramatically enhanced by modernizing authentication systems and introducing new technologies. It is much easier to blame the end user for a security breach than to address the larger and more challenging issue of getting rid of legacy systems. Luckily, the continued momentum of passwordless authentication technologies is one of the key trends in the identity and access management (IAM) space.
Over the past few years, there has been a significant uptake in the adoption of passwordless authentication solutions in both enterprise and consumer use cases. Passwordless is becoming the new normal, and the use of passwords is becoming less and less relevant. For enterprises, this means a new opportunity to build new authentication architectures and leverage the potential of standards such as FIDO.
FIDO as a driving force
The non-profit organization FIDO ("Fast IDentity Online") Alliance was launched in 2013 to develop and promote authentication standards. As a result, the FIDO Alliance has introduced a set of open, scalable and interoperable specifications to reduce the reliance on passwords.FIDO2 is the latest specification released by the Alliance, offering a more flexible approach that supports a range of authentication factors, including biometrics, security keys and other devices. WebAuthn is a web standard developed by the World Wide Web Consortium (W3C) that implements the FIDO2 specifications for web applications.
The role of FIDO2 and WebAuthn in passwordless authentication is to provide a secure, standardized, and user-friendly approach to authentication on the web that eliminates the reliance on passwords and improves user experience at the same time. FIDO2 and WebAuthn use public key cryptography and strong authentication to enable passwordless authentication while reducing the risk of password-related attacks, such as phishing and credential stuffing.
FIDO has also worked with companies such as Microsoft, Google and Apple to integrate and adopt FIDO standards across their operating systems. More recently, these companies have announced plans to support passkeys on their platforms. For example, Apple's latest update, iOS 16 for iPhones as well as macOS Ventura for Macs, now supports passkeys, while Google introduced support for passkeys in December 2022.
The adoption of passkeys
In a nutshell, a passkey is a type of authenticator that works by generating a unique cryptographic key pair. The private key is securely stored on the user's device (such as a USB key or mobile phone), while the public key is shared with the FIDO server. During authentication, the passkey generates a digital signature using the private key and sends it to the server along with the user's credentials. The server then verifies the signature using the public key, and if the signature is valid, the user is granted access.
The use of passkeys by these companies is likely to contribute to the widespread adoption of a passwordless future. As a consequence, the transition to phishing-resistant forms of authentication will continue to gain momentum. Companies need to evaluate the assurance level they seek for their relying applications and, if appropriate, leverage the benefits of passwordless technology. Nevertheless, by eliminating passwords and providing users with a more modern authentication system, organizations can strengthen security and lessen the impact of the human factor.
More on this at EIC 2023
Learn more about this topic in the Analyst Chat #164: Trends and Predictions for 2023 - Passwordless Authentication, where our analysts explore the importance of passwordless authentication for the whole Access Management process and why organizations should implement passwordless solutions to get rid of poor user experience and security risks.
For additional perspectives on the variants of passwordless authentication, attend this session entitled Passwordless Primer, which will take place during the European Identity and Cloud Conference 2023 on May 10th. Phishing resistance, device binding, secure elements, and many of the other technical aspects will be explained, put into context, and rated regarding their relevance for different use cases.
And, discover some of the business benefits of passwordless authentication, the steps involved in selecting the right tool, important considerations, challenges, and opportunities in the new KuppingerCole service: KC Open Select. This report will provide you with questions to ask vendors, criteria to select your vendor, and an excellent starting point to streamline the decision-making process.