Share this article on:
Ashley Diffey from Ping Identity outlines secure and user-friendly password alternatives in a heightened threat environment.
Love them or loathe them, passwords have been a part of daily life for more than 60 years, providing a first line of defence against a range of digital threats.
Used to secure everything from email and social media accounts to online banking and corporate networks, these have become standard methods of preventing unauthorised access.
However, it’s becoming increasingly apparent that passwords are no longer sufficient. Regularly stolen and often easy to guess, these are no match for ever-more sophisticated cyber criminals intent on causing disruption and achieving financial gain.
This then begs the question that, if these are so inherently insecure, why do they remain in widespread use? The answer, it appears, comes down to simple usability.
Passwords are easy to understand and straightforward to use. These give people the feeling that unauthorised access to resources can be prevented and losses avoided, regardless of whether that is actually true.
When you weigh up usability against security, passwords are shown to be falling well short. These are well understood and simple to use, however it’s now time for organisations to investigate and implement alternatives that can provide significantly better levels of protection.
Beyond the password
When considering alternatives to passwords, many people still think that these are not going to be discarded any time soon. Rather, they believe it’s a matter of adding additional identity and authentication methods to the mix to boost security while also retaining usability.
On the other hand, there are others who think it is already possible to adopt a password-less approach to digital security. They point to technologies such as voice, facial and fingerprint recognition as ways to identify people without requiring them to remember and enter a password.
Taken a step further, this approach can be dubbed Bring your Own Identity (BYOID). The BYOID involves individuals proving they are who they claim to be by providing something that is unique to them. As well as biometric details, this could take the form of a private key or token that only they could have in their possession.
While this situation will sound very appealing for many people who struggle to remember the large number of passwords required to login to multiple applications, websites and services, it will be some time yet before it becomes a widespread reality.
Until then, people need to find ways to make password use as frictionless as possible while also ensuring effective levels of security are maintained.
One option being used by growing numbers of organisations is to require staff to make use of a password manager. These services allow users to record all their login and password details in a secure online vault with the details provided as required.
Each staff member then has only to remember a single master password which gives access to that vault as all others are handled by the password manager. This makes it a much better user experience for staff while also improving levels of security across the organisation.
Myriad-factor authentication
Another development which is aiding the quest for a password-less world is the concept of using a wide variety of factors when determining an individual’s identity. This takes the concept of two-factor authentication, which is already widely used, and shifts it up another notch.
Other factors that can be used include details of the client device being used to connect, its geographic location and records of past interactions to determine whether this one is following a similar pattern.
The more factors that are used, the surer a service or network can be that the person logging on is who they are claiming to be. If someone connects from Sydney, but then minutes later attempts using a different device from London, it’s unlikely to be authorised activity.
Reaching the stage of being password-free remains quite a journey for most organisations, and there are also likely to be other methods of confirming identities that will enter the mix over time.
Yet, just as shifting to the cloud was a gradual process for most, it’s likely password-less identities will be achieved in a similar series of incremental stages rather than a big bang. Consider how you might take your first step today.
Ashley Diffey is the head of APAC and Japan at Ping Identity.