Michael Engle is a co-founder of 1Kosmos and was previously an InfoSec director at Lehman Brothers and co-founder of Bastille Networks.
Most drivers, when they step on the gas for the first time in their new electric car, will feel an adrenaline rush. Not because of its supercharged acceleration, but also because it doesn’t consume gallons of carbon-emitting gasoline on the way to the city.
One experience occurs when other people abandon passwords for passwordless authentication. Clicking a button and logging in with a facial scan or fingerprint is a liberating experience while preventing fraud and account compromise.
Despite their apparent benefits, none of these technologies are in a position to be 100% adopted. Yes, many other people think that switching to electric cars is the right thing to do. However, a lack of charging stations and slow, unreliable charging speeds, among other factors, are holding back wider adoption.
Similarly, adopting passwordless technology solves security issues and user frustration. However, we will continue to rely on existing technologies, such as usernames and passwords, for some time. It is imperative that we bear this in mind, but also that we move forward as temporarily as possible. .
As virtual frameworks have become complex and online functions have evolved, identities have a new security perimeter. This fact has become painfully evident with the continued accumulation of cyberattacks. In September 2023, MGM Resorts Las Vegas suffered a devastating ransomware attack and Business Insider estimated that the company may have lost up to $80 million because virtual hotel room keys and many other systems were offline. for up to 10 days.
The attack is believed to be an organization called the Scattered Spider. The company resorted to a social engineering technique to access the casino’s network through a single login. At some point, the scammers allegedly called the help desk and posed as an MGM employee discovered in the data. discovered on the worker’s LinkedIn profile to reset their credentials. Soon after, they took control of the network. Around the same time, the ransomware attack hit Caesars Entertainment, which reportedly paid a $15 million ransom to prevent the shutdown.
The takeaway for enterprise security leaders is that it’s critical to elevate identity management and authentication. Increasingly, this means focusing on identity-based passwordless and identity verification, which strengthens protection while simplifying tasks for both an organization and its users.
At this point, it would be difficult to find anyone who isn’t intrigued with the prospect of eliminating passwords. They are skeleton keys in the digital age, as they’re easily hacked and difficult to remember and manage. According to Verizon’s 2023 Data Breach Investigations Report, half of all data breaches involved stolen credentials, and 74% of breaches involved a human element.
Even with multi-factor authentication strategies, such as text codes and authenticator apps, assets are not secure. Scammers can intercept unique login codes and make their way socially into accounts. Once they get hold of assets, they sneak through a network and install malware. , adding fileless malware that’s hard to detect. At some point, perhaps weeks or months later, an organization discovers itself the victim of a data breach or has to pay a hefty ransom to get its systems and knowledge back.
Over the last few years, identity-based passwordless technology has matured and become viable, thanks largely to standards NIST 800-63-3 IAL2 and FIDO Authentication. Typically, a person performs remote identity proofing by logging into their smartphone or computer (often with biometrics) and relies on a digital key to handshake with remote servers that authenticate accounts. The process takes place in a seamless and mostly invisible way to users, and it’s highly secure.
You can’t trick a user into clicking on a link or visiting a site that injects malware into a device. There is also no way for attackers to forge credentials. Instead of adding some other layer of security to passwords, identity-based passwordless systems update them. entirely.
Smart business leaders recognize the importance of transitioning to passwordless technology. Just as the company can’t move to EVs all at once, it’s critical to set up the passwordless formula and start building an IT infrastructure to support it.
What does this mean in practical terms? It’s critical to establish the right identity management application framework, incorporate verification tools and technologies that definitively prove a person’s identity up front, and help customers, employees, business partners and others adapt to a new way of logging on and authenticating.
Five key elements support a best-practice approach to passwordless.
1. Verify. Verify your identity every time you log in without SMS codes or other two-factor authentication (2FA) bureaucracy. With the right verification procedure and trusted credentials, a user is in a position to access any passwordless authentication. authentication system.
2. Modernize. Establish a biometric authentication framework with activity detection for verifiable identity, greater ease of use, and increased user satisfaction. This includes incorporating government-issued credentials to determine users. Then, with activity detection biometrics, an organization can ensure that the user and device fit together and are secure.
3. Administrar. La successful adoption of passwordless technology requires controlled deployment through gradual deployment. A step-by-step technique is also helping to teach and exercise workers and others on how to use technology.
4. Settle down. A more productive practice is to provide a consistent user experience for users and systems, adding those that can’t do without passwords right away. This could include, for example, adopting an “unphishing” QR code to onboard users and direct them to the appropriate authentication tools. This way, everyone uses a standard, easy-to-use interface to set up secure authentication.
5. Consolidate. Removing authenticator apps and consolidating other equipment will reduce dependency on the help desk while ensuring that the migration to a passwordless version is consistent and streamlined. Reducing apps and calls can also lead to a return on investment (ROI).
Make no mistake: the future of authentication revolves around identity-based passwordless multifactor authentication. As with electric vehicles, there’s a need to adopt new technology and make changes—but at a measured and methodical pace. With a roadmap and the right technology, it’s possible to shift identity management into high gear and pave the way toward a more secure future for digital business.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?