Alex Laurie, SVP Global Sales Engineering at Ping Identity
Passwords have been with us for decades. The problem is that people have far too many to remember – does this one have a capital letter, a number or a special character? Often, we don’t know. So, we delegate responsibility to a password manager and then get frustrated again when forms don’t auto-fill.
While frustrating, passwords are also the gateway to billions of dollars of fraud each year. We can’t continue on this path where demanding ever more complex passwords people can’t remember becomes the only way to access services.
Google estimated in 2019 that multi-factored authentication (MFA) on-device prompts prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks by hackers trying to login as you. It has been a great success. But criminals adapted, and we are currently seeing breaches which prove, once again, that we’re falling behind the bad guys in the quest for security. And, while MFA works, a user receiving hundreds of authentication prompts during an attack only needs to click the wrong button once for an attacker to gain access.
It’s time these issues were removed with a passwordless approach. This entails a user setting up their account once, and then using a range of methods such as push notifications, one-time passwords and biometrics to gauge whether a login attempt is genuine. Thanks to AI innovations, this is a very real, and accurate, possibility for organisations.
So how does passwordless authentication work in practice? Instead of relying on something you know, like a password which is the name of your first pet, the system works on something you are (e.g., your face or fingerprint) or something you have (e.g., a smartphone to receive a prompt).
More advanced passwordless authenticators use signals and behavioural insights to analyse the likelihood of an authentic login and send the right type of prompt to the user. These signals could be your location, IP address or approved device MAC address. And behaviours would include user preferences and choices. For instance, are you logging in at the time you usually do on a browser you always use? How are they typing or using the mouse (this signal easily filters-out bots)? Are they trying to access company resources they haven’t before?
By combining and analysing these readings, the passwordless system gives each user/login attempt a risk score. If a threshold is breached, either a prompt is sent to check it’s a genuine login attempt, or the session can be closed completely, and the user kicked out.
The challenge, however, is there is no one-size-fits-all approach to passwordless. As it is new to many, companies must evaluate their own fraud and risk priorities before implementing it. Here, one of the most useful things an organisation can do is to develop their software services using accepted standards like SAML and OAuth and OpenID Connect. FIDO2 WebAuthn has also become popular, partly because of its adoption by Apple, Google, and Microsoft as well as the makers of several popular devices, browsers, and operating systems. Once the preparation has been done, a company can then design authentication journeys that balance security and login friction for employees, suppliers and customers. Of course, during rollout, it is critical not to disable existing authentication methods until enough telemetry has been collected to surface emerging issues. You must not go unprotected.
AI is core to the experience. It will enable models to learn about each login attempt and refine every user’s profile. These models already help banks for transactions and identifying whether customers are abroad and now they are helping stop bad actors from gaining access to systems and resources they shouldn’t.
When it comes to fraud, there will always be a weak link – people. To help mitigate against this we need to ensure they’re not relied upon too heavily, meaning passwords should be retired as soon as possible. Attackers use stolen credentials more than phishing or exploiting a vulnerability to access companies, according to Verizon. This alone should be enough to push us towards passwordless.
The identity access management industry is working to put the standards in place so this change can happen quickly and be deployed across a wide range of enterprise and consumer applications. Fraud prevention technology folded into the authentication experience, is the way for organisations to be able to more successfully stop fraudsters’ in their tracks when they’re duping people and companies out of their money and secrets.