Looking at the history of passwords, one realizes that they have been around for centuries – Roman military used them to distinguish friend from foe. Fast forward a few thousand years to the age of computers, and you arrive at the invention of the modern computer password by Fernando Corbató in 1960. While the use of passwords was initially limited to Fernando Corbató and his colleagues at MIT, the rise of the world wide web in 1990s led to their widespread acceptance and use. Along the way, the concept of “hashing” was introduced to secure passwords.
As cloud computing, SaaS, and mobile apps provide anytime, anywhere access for users, we have seen less-than-secure behaviors regarding passwords, and an increase in expertise among hackers. Weak passwords, re-use of the password, and sophisticated hacking-related breaches continue to lead to financial and reputational damages to enterprises across the globe. With COVID-19 forcing employees to work from home and requiring consumers to have more remote access to services, hackers are having a heyday – stealing credentials, accessing personal information, and causing financial damage to individuals and enterprises.
With the proliferation of credential stealing, phishing attacks, and other security threats, “passwordless” has become the new buzzword of 2020. Along with passwordless comes a plethora of terminologies to confuse us all – FIDO, encryption, PKI, hardware upgrades, Windows Hello, biometrics, UEBA, analytics, and many more. Passwordless could mean use of a PIN, physical or virtual smart cards with PIN, or simply use of push notification to a mobile device. Does that mean all of these “passwordless” solutions being promoted are equal? What should organizations look for in a passwordless solution?
Consider every use case
A security-conscious organization should look at a comprehensive security solution to protect its assets, applications, and various address use cases. For example, email phishing attacks are common and lure people to reveal their credentials and/or cause financial damages. Even with email security solutions in place that clearly identify “EXTERNAL” source of email, many users end up clicking on links embedded in those emails. Email signing (with PKI cert from a reliable certificate authority) can solve the problem of email phishing. Similarly, securing contents of email can be accomplished using encryption enabled by PKI-based credentials (private keys).
With COVID-19, signing of important legal documents, contracts, and medical prescriptions, etc. needs to be done remotely. A PKI-credentials-based solution combined with hardware security module (HSM) provides a secure method of digitally signing the required documents.
Other use cases that need to be addressed are file encryption, seamless access to all authorized applications, secure workstation login, VPN, SSH, VDI, VM sessions, and the list can go on and on.
FIDO keys have become popular, and users register the USB/NFC keys with the browser to allow passwordless access/login to the specific application(s). However, FIDO keys work on the basis of possession, so if I have someone else’s FIDO token/key, then I can assume that person’s identity. FIDO does not prove identity of the person holding the key. Mobile FIDO apps have surfaced that get unlocked by device-native biometrics, which allow for a better proof of identity. However, the mobile devices allow more than one person to register their biometrics (generally family members), and that means anyone with access to the phone will be able to unlock the mobile FIDO app. Once again, the FIDO key does not prove identity of the user. FIDO does not address other use cases like email signing and encryption, digital document signing, and file encryption.
Windows Hello For Business provides a passwordless solution once the enterprise upgrades to Windows 10 and at the same time upgrades hardware with infrared cameras for facial recognition. Additionally, the number of users that can be registered to a computer is limited by the capacity of the TPM chip. For example, if the TPM chip can hold keys for five users’ identities, the sixth user registering with the device will kick out the first user. So, it can prove to be an expensive solution without the ability to support hot desking.
A time-tested, security-hardened and innovative passwordless solution is (PKI) credentials-based, leveraging mobile devices to cater to all the use cases for comprehensive enterprise security. Entrust Datacard provides the Mobile Smart Credential app for iOS and Android devices that can be paired with Windows and Mac computers. Once paired, the user can log in to their computer without using a password by unlocking their PKI-based mobile credentials using their biometrics (device-native or built into the app). The administrators can set the policy of auto logout or locking screen when the mobile device goes out of range of the computer. This security policy allows users to walk away from their computers with their mobile device without worrying, “Did I leave my computer unlocked?”
Protect against threats and reduce TCO
The advantage of using a PKI-credentials based solution is that the identity of the user can be validated by a public CA – a distinct advantage that enterprises, governments, hospitals, educational institutions, and banks can leverage to build trust.
Users can log in to any computer their device is paired with and access all authorized apps (cloud and on-premises), automatically log in to VPN, SSH, etc. without having to reauthenticate themselves. They can send signed and encrypted emails using their mobile smart credentials, digitally sign documents and prescriptions, and encrypt files. All this while not ever having to type a password. Using a credentials-based passwordless solution, organizations can have lower TCO and a robust and secure solution that can help them fight fraud and eliminate cyber threats like phishing attacks, SIM swaps, SMS-based MFA attacks, duplicate code generator attacks, and account/password recovery attacks, while enabling them to meet compliance requirements.
When selecting a passwordless solution, ask your vendors for the use cases their solutions will support. Get ready to protect your assets – hackers are getting smarter and more resourceful, looking for loopholes in your security posture. Be wise and select the right solution for your organization. Go for a PKI-credentials-based passwordless solution.