Is Your Business Ready for the Passwordless Future?

Introduction

“letmein”

“opensesame”

“123456”

“password”

Don’t worry, we’re not trying to remotely hack into your computer. We’re actually listing some of the most common passwords that people still use to this day.

If you recognise any of the above – and especially if you have them in active rotation with your digital accounts – it’s definitely time to change them.

But could there be another way? Could it be that passwords have become outdated and insecure, even the most complex of alphanumeric sequences?

If current trends are to be believed, the answer is yes. Many businesses have already started the process of going “passwordless” – and it might just be more secure than passwords ever were.

Intrigued? Then let’s begin.

What is “passwordless” authentication?

As the name suggests, passwordless authentication refers to the process of logging in to systems without the need for an alphanumeric password.

Without getting overly technical, passwordless authentication relies on what’s known as a “authentication factor”. We’ve talked about this before on the Get Support blog as part of our Plain English Guide to Multi-Factor Authentication.

In a passwordless system, authentication factors will fall into one of two categories:

• Something you have, such as your mobile phone, a one-time-passcode, or a physical token.
• Something you are, such as your fingerprint, retinal scan, or other biometrics.

In most passwordless setups, including Microsoft’s Windows Hello, you simply need to enter your username and provide one authentication factor. The sheer security of biometrics means MFA is no longer necessary (nobody else has your face or fingerprint, right?)

That said, there are still ways to use both MFA and passwordless authentication if your security requires it. It’s all about having additional options to keep your business secure.

Type of passwordless authentication systems

Logging in without a password is becoming more common across digital platforms, and there are a few different ways to make it happen.

Here are the passwordless experiences you’re most likely to find at the moment:

• Authenticator Apps, such as the one offered by Microsoft, will simply send you a push notification when you try to log in. From there, you simply carry out a biometric scan (Face ID or fingerprint), and you’ll be logged in.
• “Magic Links” are an email-based form of passwordless authentication. You enter your email to log in and the service will send you an email with a unique link which you click to be logged in automatically. The authentication factor here is access to your email account.
• One-Time-Passcodes (OTP) is a form of passwordless authentication which sends a text message to your mobile phone with a unique PIN code. Enter the code and you’ll be logged in. Or, even better, approve the login via a push notification. OTPs are commonly used as part of multi-factor authentication setups.
• FIDO2 security keys are a physical token which you can carry with you on your person – even on your keychain. Enter your username or email, plug in your key, and you’re in!
• Windows Hello is a dedicated passwordless platform developed by Microsoft and available in Windows 10. It uses biometric data via dedicated devices (including your smartphone) to log you into Windows passwordlessly.

How secure is passwordless authentication really?

At first blush, there’s a natural assumption that removing the need for a password must be unsafe. After all, we’ve all spent decades at this point memorizing the most complex combinations of numbers, letters, and special characters.

So how could passwordless solutions ever be more secure?

Well, when you consider the detail, you might actually agree that passwords are really not as safe as they may seem.

Here’s why:

• Passwordless solutions remove the single most insecure factor in the authentication process: insecure passwords. Try as you might, there’s always one who’ll resort to a variation of “opensesame” – and passwordless solutions eliminate that risk.
• If you suffer a specific type of cyberattack which breaches your server, an attacker could potentially access your user’s passwords. Having passwords stored anywhere – even when encrypted – is still a risk which passwordless systems entirely eliminates.
• Phishing attacks are not effective against passwordless authentication. If a user were to be duped into accessing a fake version of their company’s login screen, for example, they won’t have a password to give away. And, at least for now, scammers are unable to replicate passwordless authentication systems.
• Biometric data is practically impossible to counterfeit. Whether it’s a facial scan, a fingerprint, or a retinal scan, these authentication factors are uniquely yours. There’s no “brute-forcing” a passwordless system as is possible with passwords – instantly eliminating multiple potential cyberattack vectors.

Is your business ready to say goodbye to passwords?

Switching to an entirely passwordless approach might be a little way off yet, but there are already plenty of ways you can take advantage of the security it offers.

With Windows Hello and other forms of passwordless authentication built into Azure AD, you could probably get started with passwordless right away. Want to learn more? The Get Support team can help you get up and running.

Fill out the form below or call the team anytime on 01865 59 4000 to learn more.