cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

3 steps towards a passwordless future

Over many years, people have built a tacit link between passwords and identity. We have assumed that when someone is issued with a username and password combination that we have given them a digital identity. By Blair Crawford, CEO and founder of Daltrey.

user iconReporter
Thu, 28 Jul 2022
3 steps towards a passwordless future
expand image

In reality, what we have really done is given them a tool for accessing a system or data and we have made an assumption that those credentials are bound to their identity. But this assumption has been proven to be false. Data from a number of reports such as the annual Data Breach Investigations Report and the World Economic Forum tells us that stolen, weak and misused passwords are widely used by cyber criminals.

If passwords are such a liability, how can we get rid of them? The quest for going passwordless is not new. Passwords are weak, easily shared and can be hacked through brute force attacks. For users, they’re frustrating to use. They are frequently forgotten and need to be reset. Organisations have been looking for ways to move away from passwords to more robust forms of authentication for some time.

Here are three steps to move towards a passwordless future:


1. Start with identity

It may seem obvious, but it’s important to validate the identity of people before giving them access to your systems. That means your onboarding processes need to have robust identity verification so that you are 100 per cent confident that the person is who they say they are and that you don’t have a duplicate record. This is key. Going passwordless offers lots of benefits such as easier management and stronger security. But issuing a credential, even a biometric one, to someone whose identity is not verified doesn’t strengthen security.

Once you’ve verified an identity, you need to bind that identity to biometric data. That can be used to connect a user to a specific application or hardware device such as a door lock. That single identity, bound to one person’s biometric data can be used to secure both physical and digital access.

2. Redefine strong authentication

Identity management has become a top-of-mind issue for all organisations. Guidelines such as the Essential Eight, NIST and ISO 27001 all provide advice saying that single-factor authentication, traditional username and password systems are no longer adequate and that organisations should move to multi-factor authentication using one-time passcodes or other similar mechanisms.

Although these are stronger than single-factor authentication, they add overhead to users. And they often lack a strong tie between the means of authentication and the user’s actual identity. Biometrics offer a new definition for strong authentication. Strong authentication involves strict identity proofing and binds the biometric credential to relevant identity attributes for the highest level of assurance that the user is who they say they are, strengthening security and an organisation’s defences against cyber-attacks.

3. Ensure authentication integrity

The old saying about a chain only being as strong as its weakest link applies to passwordless authentication using biometric security. Standards such as ISO/IEC 24745:2022 ensure that biometric systems are designed to withstand and repel attacks. And ISO 30107 has been created to address presentation attack detection (PAD) where threat actors present videos, images or masks to a sensor like to fool biometric detection.

It’s important to ensure robust protection is in place through tools such as encryption to protect data while it’s in flight or at rest and to ensure systems are patched and maintained to ensure vulnerabilities are repaired and newly found threats are blocked.

Moving towards a passwordless future is not just about replacing passwords with biometrics. It also requires a complete security strategy that adheres to robust standards that protect the integrity of the end-to-end authentication workflow. With that approach embedded into the design, a successful transition towards passwordless authentication can be achieved.

Blair Crawford is the CEO and founder of Daltrey.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.