MFA | Accops

Forget passwords to improve security #biometrics #MFA #SSO

2 min read

Digital transformation has gained unprecedented momentum in the past couple of years with businesses striving to remain on the edge, to deal with evolving challenges and gain a competitive advantage.

This has resulted in a rapid migration from legacy architecture to cloud-based infrastructure, and in the process, businesses are now operating in their newly built hybrid environments. Such always-on, always-available hybrid infrastructure demands a decentralized, identity-centric security system, where passwords become inadequate.

Identity-centric authentication system typically consists of multiple factors for authentication on top of the conventional password, which is often perceived as the most vulnerable factor. An increasing number of organizations are now getting rid of this vulnerable factor. Forbes reports that 52% of businesses are already using passwordless authentication in some form or the other and this number is only expected to grow.

Limitations of passwords

Difficult to manage: Password-related issues take up a lot of IT help desks’ support time. The cost involved in IT support and lost productivity caused due to passwords are quite staggering. Reports suggest that a single password reset request costs around 70$.

Poor user experience: To remember a strong password and type it every time a user is logging in causes a lot of friction in user experience. Also, the process to reset a password if a user has forgotten one is laborious in most cases.

Easy to exploit: Malicious forces find passwords as a low-hanging fruit and carry out attacks such as phishing, credential thefts, password guessing etc. Usage of weak passwords and reuse of passwords are common practices which make things easy for hackers.

Ditch passwords to boost security

Passwordless authentication primarily aims to overcome the above limitations and provide increased security while also improving user experience. Here is a look at the steps involved in going passwordless:

Step 1: Find use cases where you rely on passwords as the only means of authentication. Add an additional layer of authentication using MFA to minimize the dependency on passwords and lower your security risks.

Step 2: List all use cases where passwords are being used and rank them based on user experience, IT costs, and security risks. Then choose the low-hanging fruits, i.e., the use cases with the potential for the biggest impact across all three parameters in the shortest period and create an implementation plan.

Step 3: Simplify login processes to improve user experience wherever possible. Deploy Single Sign-On for web applications. Wherever strong multi-factor authentication is in place, reformulate passwords policies, allowing simpler passwords and reducing reset frequency to improve user experience.

Step 4: Go beyond the passwords and OTPs. Make use of context-aware adaptive policies in high-risk use cases using factors, like locations, time, device, behavior and more, to increase the strength of authentication.

Step 5: Once the above steps are taken, passwords become nothing but one among several factors of authentication. So, getting rid of them becomes easier depending on the criticality of the use case. In case of high impact use case with no margin for error, biometrics-based authentication can be deployed as a foolproof reinforcement before going password-less.

Going truly passwordless does not just overcome the limitations of conventional passwords – it does much more than that and opens doors to several new possibilities. It is a continuous, challenging process and is a critical part of the digital transformation journey of all businesses. When done right, it serves as the solid foundation on which you can build a sustainable and secure hybrid infrastructure. With the above template, you can kickstart your passwordless journey, in case you haven’t yet.