Passwordless Authentication: Does Removing Passwords Increase Security?
“It’s safer because basically you’re removing the possibility that if someone steals or phishes your password, they can’t use it to access whatever they’re trying to access,” says Goerlich. “They need those factors that they don’t necessarily have with them.”
The password also limits phishing attacks, according to Goerlich. “The authenticator will look at this URL and match it before providing credentials,” it says. “So even if the criminals are using the things they’ve been using for years, i.e. words that sound alike or zeros instead of O’s, the authentication mechanism isn’t fooled by that. , and therefore common phishing techniques fail and are not applicable.”
Additionally, passwordless authentication is beneficial for hybrid working, says Goerlich. When users work from home, it’s difficult to validate who they are to reset their passwords, so password reset costs have increased. Passwordless authentication eliminates the need to do so, he notes, as well as the need for a user to travel to headquarters to reset their authentication.
Passwordless “provides a very good user experience and significantly reduces the friction users face when trying to maintain access to their systems in the hybrid environment,” Goerlich says.
There are challenges in hybrid setups to enroll and onboard employees and ensure that they are not, for example, also enrolling their children, or maintaining tokens appropriately. In some cases, organizations are integrating live remote employees into video chats, Goerlich says. “It’s really about figuring out what the processes are, and that takes time.”
What is the FIDO Authentication Standard?
FIDO stands for Fast Identity Online. The FIDO Alliance is an organization that sets standards focused on identity-related interoperability.
“The FIDO Alliance has created something called FIDO Authentication, which is a standard that makes interoperable passwordless authentication possible,” Scarfone says.
FIDO promotes standards such as the universal second factor, which is behind security keys and tokens, Goerlich notes.
FIDO2, the latest standard, was launched in 2018and its support has expanded in 2020 across Apple some products. “FIDO2 enables users to leverage common devices to easily authenticate to online services in mobile and desktop environments,” the alliance Remarks. “The FIDO2 specifications are the Web Authentication (WebAuthn) specification of the World Wide Web Consortium (W3C) and the corresponding Client-to-Authenticator Protocol (CTAP) of the FIDO Alliance.”