Indeed, the months between April and June 2020 saw a 65 percent increase in cybersecurity incidents. While the dramatic rise to remote work has opened up new opportunities for flexibility and productivity for enterprises, the shift of work outside of enterprise-grade firewalls, logical access control and network security leaves both individuals and organisations exposed to greater risk.
One of the biggest risks continues to be the password. Bill Gates suggested over a decade ago that the password should become redundant. Yet the vast majority of digital assets still have their access controlled by passwords. Consider:
• 80% of hacking-related breaches that “leverage stolen and/or weak passwords” are caused by compromised passwords, per the 2019 Verizon Data Breach Incident Report
• Google found that 65% of people reuse passwords across accounts.
• 2.7B email/password pairs were exposed in the Collection 1 breach alone – and that was just the start.
• In recent times, phishing for passwords is one of the primary ways that bad actors gain access for the purposes of planting ransomware.
People choose simple passwords they are likely to recall easily and use the same one across a multitude of devices and platforms. But this vulnerability suggests that the password needs to be replaced by a safer, more efficient solution for digital access.
The inherent vulnerability of the password approach
Beyond the obvious cost of data breaches, passwords are inefficient in other ways. Having unique passwords for every access need – changed regularly – is a security best practice, but a drain on productivity – whether due to the time and frustration of entering passwords across applications or devices, or delays for recovery of forgotten credentials.
Solutions for logical access control without passwords have been touted as safer and more convenient than the use of physical passwords. Biometrics, for example, might use fingerprint scans rather than relying on a user inputting a password. However, the scan still relies on a repository of passwords elsewhere in the system, with the biometric scan just replacing the physical part of entering the credential. It provides a gateway to unlock the password repository, which can still be breached and is therefore still a risk factor for enterprise security.
In fact, any solution that stores passwords in a central repository, and relies upon employees or individuals to enter their credentials into a machine to access and unlock a system, is inherently vulnerable. All it takes is one credential to become compromised, and the system is at risk. In a worst-case scenario, the central repository itself is compromised, and hundreds or even thousands of passwords are stolen – leaving a large group of employees, machines and systems vulnerable to cyberattack.
The future of workplace authentication
The solution to this vulnerability is to remove the main sources of risk, both the password itself and the central repository. Decentralising those credentials means that any attack can only take place through one narrow vector: the individual. Shoring up the human vulnerability is now possible through the use of single-sign-on (SSO) with passwordless authentication, which stores highly encrypted and secure credentials on an individual’s mobile device.
Passwordless with SSO works through the use of trusted digital identities, which are created by issuing a secure digital certificate that is stored securely on a user’s mobile device. Think of that as a secure digital ID card stored in encrypted format on a mobile device and unlocked with the user’s biometrics.
When an employee needs to unlock a device or system, they enter their biometric (fingerprint or facial match) and then their digital certificate ‘swaps’ credentials with that device via public key infrastructure (PKI) technology. This means that a secure set of digital keys are created, decoded and swapped between the two devices, ensuring that the user’s credentials are legitimate and that they are authorised to access the device or system they are attempting to unlock. This is all achieved without the use or exchange of passwords, removing that particular vulnerability altogether.
The resulting level of security is also coupled with a more frictionless experience, making the manifold daily transactions between an individual and their digital work tools faster and more efficient.
Between enhanced security, improved efficiency and greater physical safety, there are a lot of positives to take from an integrated passwordless and SSO solution. The cyber safety of an enterprise with a distributed workforce can be improved by adopting this next-generation technology, and moving beyond the outdated use of passwords for access control.