By Anand Venkatraman, Partner, Deloitte India
Passwordless authentication has generated a lot of buzz with its promise to offer protection from phishing and other credential-based attacks in addition to providing solace to the user by doing away with frustrations of defining and remembering passwords.
Passwords are the weakest link in security
Almost every online user will agree how tiresome it is to think of different passwords with varying complexity for their accounts. Very often, they take the risk of using the same passwords for their work and personal accounts or use just minor variations to make it easy to remember. This opens the door for attackers who just need to hack one of the accounts to compromise the other accounts. Phishing, man-in-the-middle and similar attacks to steal passwords have been increasing and attackers have also found ways to bypass multi-factor authentication as well.
Need for reduced friction combined with security and privacy protection
Remote working, Bring Your Own Device (BYOD) and increasing digitalisation has resulted in significant amount of business being conducted online. Consumers are becoming increasingly demanding and will readily move to another service provider if the user experience is not great. Hence, reducing the friction created by passwords, when users (customers, employees, or partners) access various applications and services, is critical for overall efficiency, productivity, business growth of the organisation. Passwordless authentication is the Swiss Army knife that offers protection from credential-based attacks, improves privacy while reducing the user friction and frustration by simply doing away with passwords.
Passwordless authentication is gaining traction with FIDO2
FIDO Alliance’s FIDO2 is now the universally accepted Passwordless authentication protocol with support from leading platforms, browsers, and various authentication product vendors. Industry is well poised to adopt a standardised approach moving away from the erstwhile proprietary solutions and not so secure methods like OTP, magic links, etc. FIDO2, allows the user to access any application or service with a simple swipe on the fingerprint reader, a face nod to the camera or by entering a static PIN on their laptop, desktop or mobile.
FIDO2 Passwordless authentication is multi-factor authentication by design and phishing resistant -an attacker would require physical access to user’s registered device and access to user’s PIN or biometrics to compromise an account. FIDO2 uses cryptographic keys (public & private keys) where the private key and the user’s biometric data do not leave the user’s device, thereby protecting user’s privacy. It also prevents user activity tracking across services since a unique set of credentials are generated for each service.
FIDO2 supports USB keys, smart cards including mobile phones as external authenticators which can be connected over USB, NFC or
BLE and used to authenticate the user both for primary and secondary authentication. FIDO2 has been adopted by leading multinational technology companies and implemented on their platforms as an alternative to passwords for their users. Passwordless authentication is well aligned with the zero-trust philosophy of “never trust always verify” since it authenticates both the user and the device. Passwordless authentication does not just replace passwords, it helps improve both the overall security posture and user experience. This is the right time for organisations to evaluate Passwordless authentication and plan how to bring the benefits of a password-free world to their users and operations.