Cybersecurity has become one of the biggest priorities for corporations, especially those that handle sensitive information such as financial institutions and health care organizations. Additionally, the alarming rise in identity theft has made online security a rising concern for individuals as well.
A large segment of the digital market is focused on ways to keep information secure online, spawning new technologies, software and hardware on what seems like a daily basis. But one of the basic ways that information is protected is through the use of authentication methods that seek to ensure that only the appropriate individuals can gain access to sensitive information.
Using passwords as a form of authentication and security has been the primary technology for half a century, and it is becoming increasingly obvious that this aspect of cybersecurity needs to evolve.
The Problem With Passwords
You need a unique password to access just about every site and service you use online; bank accounts, social media accounts, e-commerce accounts, streaming services – the list is endless. This means that the average individual might have hundreds of passwords. And on an organizational level, that means that IT departments have their hands full tracking, securing and managing all of those passwords. The need for passwordless login methods has become very clear because all those passwords are not keeping you safe for a variety of reasons.
1. People don’t use unique passwords. With hundreds of passwords to remember, most folks simply aren’t taking the time to make a separate, unique password for every site or account. Many simply use the same password over and over so that they can remember it better. Therefore, if a bad actor gets one password, they suddenly have access to multiple streams of sensitive information.
2. People don’t use strong passwords. Again, with an overwhelming number of passwords to recall, remembering a random series of letters, numbers and symbols can just be too much. Thus you see people using easily hacked passwords like their birthdays, their last name or a series of consecutive numbers.
3. People don’t store their passwords securely. Even those that follow best practices and create unique and strong passwords for each of their needs, often make the mistake of storing their passwords in non-secure ways. It is common for individuals to use a password journal to record each of their passwords. The problem is that they then leave that list of passwords lying around for anyone to find. It happens in offices every day as well. Who hasn’t passed a co-worker’s desk to see their computer screen framed with sticky notes with handwritten passwords on them?
The Movement Towards Multi-Factor Authentication
In an effort to mitigate the security risks of password use and to streamline employee and customer experience, there has been a move toward multi-factor authentication or MFA. This is a fancy-sounding term for a technology that pretty much everyone has been using on a daily basis for the past few years.
Basically, MFA continues to use the older authorization requirements of asking for a username and password but adds an additional layer of security by then asking for another piece of unique information that is much more difficult to hack. You might be asked to provide a one time password that you will be provided by text or email or to answer a series of very personal and unique questions or you might be asked to verify your identity through a path that requires you to use another device – such as your phone – that is uniquely registered to you.
Innovative and increasingly secure uses of multi-factor authentication continue to develop, but at its core, MFA remains based on antiquated password-centric authentication.
The Passwordless Solution
Passwordless authentication is the latest evolution of MFA. It keeps everything that is great about multi-factor authorizations and removes all reliance on password-based security.
What passwordless MFA does is to split your authentication process into two separate actions, referred to as a cryptographic key pair. The first half of the key – the public key – will be something simple such as a username, email address or phone number. The second half of the process – the private key – uses something that you own, such as your cell phone or a hardware token, or something that is inherent to who you are, like a fingerprint or a retina scan. Notice that nowhere in this process is there a password or other secret information that the user needs to remember or that a hacker could figure out and access.
Passwordless authentication continues to develop at a rapid pace becoming more and more secure as it does. Companies are experimenting with private keys based on geolocation, refined biometric markers and even patterns of behavior or unique patterns in gestures. Hopefully, this will make hacking into personal accounts and information nearly impossible – at least until hackers figure out cloning technology.
