I hate passwords. There, I said it. I dread getting an email from Akamai IT telling me it will soon be time to update my password. I procrastinate until the last possible moment instead of immediately doing what is actually a trivial process. I suspect I’m not alone in my dislike for passwords.
The reality is, security professionals are also not huge fans of passwords. The ever-increasing rigor on password length, endless amounts of education about not reusing passwords across multiple accounts, and reliance on employees to protect their passwords are not working. The most recent Verizon data breach report stated that 61% of data beaches involved compromised user credentials, and this ZDNet report cited that once user credentials are leaked it only takes a matter of hours for bad actors to attempt to gain account access.
It is well past the time to admit that passwords provide limited security benefits while complicating the end user’s daily life. Therefore, many identity as a service (IDaaS) vendors have been developing and promoting solutions that provide a passwordless authentication experience. What is passwordless authentication? These IDaaS solutions remove the traditional primary authentication factor (the password) and rely more heavily on authentication factors traditionally considered secondary. This move to eliminate passwords from corporate workforce logins is something that Akamai applauds and supports.
But, before we get too excited about eliminating passwords, let’s consider the authentication factors that may be used instead. As we saw in last year’s Twitter attack, there are security gaps in standard-push, multi-factor authentication (MFA) solutions that bad actors can exploit. Other authentication factors — SMS and OTP, for example — also have security weaknesses. The solution is an authentication factor that doesn’t suffer from these weaknesses. One that provides strong, phish-proof authentication. An authentication factor based on FIDO2.
When you’re thinking about moving to passwordless authentication, I strongly recommend reviewing your current MFA service and the authentication factors it offers. If it’s not based on FIDO2, then you might simply be moving the username and password problem to another part of your authentication stack. There’s one thing we know about attackers: If you close down one attack vector, attackers will simply focus on another one.
FIDO2-based MFA, however, makes it virtually impossible for bad actors to manipulate MFA challenges. But it does have one aspect that has slowed down its uptake in the enterprise: physical security keys. For companies, the cost of buying, distributing, and managing physical FIDO2 security keys has been a significant barrier to adoption. The other big problem is that employees don’t relish having to carry around yet another piece of hardware. A recent survey from Cybersecurity Insiders stated that only 5% of employees thought that a physical security key was a convenient MFA method, while 73% thought doing MFA on a smartphone was more convenient.
Akamai MFA provides FIDO2-based MFA on a simple smartphone app that eliminates the costs and complexities of physical security keys, and delivers a seamless experience end users will welcome.
Find out how Akamai MFA can help you give your workforce a secure and frictionless passwordless experience.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Jim Black. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/s5MOVSMF9wg/i-hate-passwords-there-i.html