Intelligent CISO Issue 35 | Page 30

The issue of secure access has grown more urgent with the rise of workfrom-home .
editor ’ s question

?

he history of

T cybersecurity is the history of silver bullets promised , but never delivered . Passwordless authentication is the next such silver bullet : a bright , shiny antidote for the complicated and enduring problem of secure access .

The issue of secure access has grown more urgent with the rise of work-from-home and research showing that the majority of breaches continue

The issue of secure access has grown more urgent with the rise of workfrom-home .

to be caused by social engineering and credential theft .
The stealing and cracking of passwords is central to this issue since despite an increased focus on cyberhygiene people understandably skew the balance of secure access in favour of access which means duplicated passwords and sloppy practices .
Passwordless authentication promises to nail that balance by ensuring both ease of use and security , but even one of the leading organisations encouraging a passwordless evolution has recognised that an entirely passwordless future isn ’ t just around the corner .
Their research , a survey of 750 IT professionals , showed both the problem of passwords ( a 25 % increase from 2019 of manager time dealing with password issues ) and the likelihood that ‘ passwords are not going away completely ’ ( 85 % reported this ).
Frankly , the impediments to passwordless adoption ( mainly time , money and other resources ) were cited as substantial by nearly half the respondents .
This is understandable since the big challenge with passwordless authentication is that a given user ’ s entire password ‘ ecosystem ’ also needs to be passwordless ( or otherwise very secure ) in order for the solution to be truly effective . Consider the following problems :
• Passwordless app emails a one-time link to a designated email account , but the user has a poor password to protect their email
CRAIG SEARLE , DIRECTOR , CYBERSECURITY CONSULTING ( PACIFIC ) TRUSTWAVE
• Passwordless app sends an auth request to a mobile device that has a poor PIN configured
Because of the legacy approaches to passwords and authentication , it is very difficult for users to eliminate all of the weak links in the authentication chain . And it is exactly those weak links that are what we see as being the most frequently targeted by attackers .
So what should users do if they want to start moving to passwordless authentication ? While it might seem a little counterintuitive , the first step is to cease the use of ‘ simple ’ authentication regimes or at the very least ensure only Multi-Factor Authentication regimes are used . Once that is done , then the user can have great assurance that the passwordless regimes that may leverage that authentication ecosystem are not undermined by poor security controls .
Dongle / Yubikey password devices can be great from a security perspective , but difficult from a mass adoption perspective . They can also be just another thing for someone to remember and may not be universally workable because of different port configurations . Corporate culture matters too . We did some research that indicated that having company branded password devices seemed to work because it denoted status , but this wasn ’ t universal , and in some sense the rise of extra factor ( SMS , OTP , TOPP and now Push auth requests ) are filling the gap adequately for the vast majority of people . So while passwordless is definitely in our future , before it comes , and for long after , embracing the boring stuff like good cyberhygiene practices will be the way to go . u
30 www . intelligentciso . com