MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

Google, Microsoft and Apple are bitter arch-rivals who don’t often see eye-to-eye.

Related: Microsoft advocates regulation of facial recognition tools

Yet, the tech titans recently agreed to adopt a common set of standards supporting passwordless access to websites and apps.

This is one giant leap towards getting rid of passwords entirely. Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations.

Excising passwords as the security linchpin to digital services is long, long overdue. It may take a while longer to jettison them completely, but now there truly is a light at the end of the tunnel.

I recently sat down with Ismet Geri, CEO of Veridium, to discuss what the passwordless world we’re moving towards might be like. For a full drill down on our wide-ranging discussion, please give a listen to the accompanying podcast. Here are a few takeaways.

Security + efficiency

Passwordless technology is certainly ready for prime time; innovative solutions from suppliers like Cisco’s Duo, Hypr, OneLogin and Veridium have been steadily gaining traction in corporate settings for the past few years.

And the pace of adoption is quickening, Geri told me. Companies in the throes of digital transformation, and especially post Covid19, have never been more motivated to adapt a new authentication paradigm – one that eliminates shared secrets.

Password abuse at scale arose shortly after the decision got made in the 1990s to make shared secrets the basis for securing digital connections. Fortifications, such as multi-factor authentication (MFA) and password managers, proved to be mere speed bumps. Threat actors now routinely bypass these second-layer security gates.

No small part of the problem is that passwords and MFA require a significant amount of human interaction. “Relying on shared secrets doesn’t work anymore, because we have too many accounts and no one can remember hundreds of passwords.” Geri says. “Our brains just won’t do it.”

As companies accelerate their dependence on hosted cloud services, the clunkiness of passwords and MFA is exacting a toll on productivity. One bank in the U.S. Northeast, for instance, was concerned about tellers having to type-in their passwords 50 or more times a day. “They wanted to make their tellers’ work life easier, more friendly and seamless, and at the same time improve security,” Geri says.

This was accomplished by using web cameras at each terminal tied into Veridium facial recognition software. Instead of the teller having to type in a username and password, then also use a second-factor of authentication over and over, access now happens silently and swiftly based on who the teller is. Thus, the bank measurably reduced its exposure to password abuse, while also lightening the burden on each teller.

Adoption scenarios

Outside of the banking industry, which strictly prohibits the use of BYOD smartphones for tellers, many organizations have begun adopting passwordless solutions by leveraging their employees’ personally-owned smartphones. Passwordless access to company resources goes something like this: Instead of a logon prompt asking for a username and password, the employee gets presented with a QR Code.

He or she simply uses his or her smartphone to scan the QR code. A phone app then uses the onboard biometric sensor, either fingerprint or facial, to authenticate the employee to the company’s server. “The most common adoption scenario that we see is companies seeking a passwordless experience across all of their applications,” Geri says.

Talk about turning Bring Your Own Device security concerns on its head. Passwordless solutions now enable companies to turn BYOD into a strategic tool. When you consider how password abuse has grown into a full-blown criminal specialty, it’s easy to measure the security gained from shutting down password abuse vectors.

The efficiency gain comes from reducing logon sprawl; today employees are required to repeatedly type-in a username and password, then also use various forms of MFA to connect to the company network, to log onto cloud-hosted productivity and collaboration tools, as well as to access operational software.

Coming advances

In short, what’s happening is that companies are shifting to passwordless authenticators because they materially improve security, but also leverage tools like a smartphone which is far less likely to be left behind or misplaced.

Google, Microsoft and Apple now get this. After a decade of sitting on the fence, the tech giants on May 5 announced that they would formally adopt standards pulled together by the FIDO Alliance.

FIDO stands for Fast IDentity Online. It’s a fresh set of industry standards, akin to WiFi and Bluetooth, that encourages the development and use of passwordless authenticators. Any device manufacturer, software developer or online service provider can integrate FIDO protocols and policies into their products and services.

Whatever their ulterior motives, Google, Microsoft and Apple should be congratulated for finally seeing the light. They’ve dispatched spokesmen to herald the “eliminating the vulnerability of passwords” and tout “making passwordless part of consumer lives” and “completing the shift to a passwordless world.” Maybe the tech giants finally noticed the train leaving and thought it wise to jump on board.

For its part, Veridium launched in 2016 with a laser focus on designing passwordless systems from scratch that directly addressed the growing frustration of IT department and security team leaders.

Attaining ‘recognition’

Geri told me that Veridium is already three years into development of a major advance – technology that can take into account behavioral biometrics, such as the pattern of hand movement a person habitually uses when using a fingerprint or iris sensor.

By remembering nuances about movements and other behavior traits over time, this technology will make Veridium’s platform swifter and surer about authenticating a user, Geri told me.

“It’s a concept I call recognition,” he says. “Behavior patterns combined with a strong authentication asset, which is your biometrics, could get us very close to starting to recognize you.”

More such advances are coming. How they get used in a global sense remains to be seen.

Will passwordless authenticators serve mainly to tighten the iron grip that the social media giants hold on consumers’ online personas? Or could these advances foster a fresh trend, one that supports a more fair distribution of wealth, say like the mainstreaming of self-sovereign identities? We’re destined to soon find out. I’ll keep watch and keep reporting.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-businesses-gravitate-to-passwordless-authentication-widespread-consumer-use-up-next/