“Passwords have long been the weak link in security. It's often said that in many successful attacks, criminals don't 'hack' in, they just log in. They do so by gaining the password using a variety of techniques. These could include phishing to trick someone into handing over a password, stealing credentials if someone has used the same password in multiple places which might have then leaked onto the darkweb, for example, or simply by using brute-force attacks.
As such, it's long been vital to utilise solutions like multi-factor authentication (MFA) to protect logins. However, this has resulted in a 'cat and mouse' game with hackers, where attackers attempt to work around MFA. As such, we are now seeing sophisticated approaches emerging like MFA fatigue attacks and combination attacks, where phishing is combined with established vulnerability exploitations using 'pass-the-cookie' attacks.
All these risks are designed to exploit possible vulnerabilities in the MFA process, stripping it away to leaves you with only the simple password as protection. If the hacker already has this, or has stolen it using the aforementioned techniques, then you end up right back where you started.
As such, vendors have been working to move away from passwords entirely, and towards solutions that rely on login protection factors that can't be stolen or phished. Various solutions have been pushed forward, but we're starting to finally see the emergence of some standards around this. Solutions like passkeys for example, are beginning to enter use with online services. In the corporate space, solutions like physical tokens have already been established around standards like FIDO2 WebAuthN.
Physical tokens allow users to literally have a physical key to unlock access to their PC, cloud services, data and applications. This provides a familiar experience to the user (using a key to unlock their IT) and strong protection for the business.
You might wonder how this is protected from hacking or lost and stolen keys? Each key can have either a PIN number, required to make use of the key, or it might have its own fingerprint reader built-in to use biometric unlock. Therefore, even if the key was stolen, it couldn't be used. Of course, keys must be plugged into a USB port to work - however the unlock process requires a physical touch of the key to activate it each time a login occurs. This provides additional protection: a human presence and action is required.”
Will businesses need to overhaul their whole security processes?
In most cases, no. Many organisations are already using identity management solutions like Microsoft Azure AD (now Entra ID), which already has support for these solutions built-in. Enabling them can be carried out on existing user accounts.
We recommend linking all enterprise IT applications to your identity management solution through a single sign-on. This then allows you to protect all your applications and data with a passwordless login solution, not just Microsoft.
Will some organisations or specific sectors need to retain passwords/services? Why?
In some cases, legacy software not tied to modern authentication solutions won't be able to take advantage of modern passwordless solutions, or be linked to Entra ID.
It's typically legacy software that will be unable to make the switch - in this case, you'll need to find other routes to add protection, such as hosting the application in a virtual desktop environment like Azure Virtual Desktop, and ensuring that access to that desktop space is protected by a passwordless login solution.
Is any one successor to passwords 'future proof'?
The landscape is always changing, so it's tough to declare any one solution to be future-proof. However, basing your design around solutions that use established standards gives you the best chance of success. For an identity management solution, you'll almost always be choosing a proprietary system, but for solutions like physical tokens, the standards (like FIDO2 WebAuthN) are now well established.
Concrete strategies businesses can follow to prepare their route away from passwords e.g. if you can't shift everything, could some accounts or software be made passwordless?
Businesses looking to move away from passwords should evaluate the following:
- Your login scenarios, including what devices people use and where. Whether they are office or home-based, mobile or hybrid, as well as whether devices are corporate or user-owned.
- The apps and services people need to access. These could include cloud apps versus on-premise, as well as access routes including direct, on-premise and remote access.
- User experience and protection preferences, for example, is biometric a requirement? What type of interface do people need and what training might be required?
To provide robust protection, consider what your pathway will be to 100% coverage, which means 100% identity protection and passwordless coverage of all access routes, to all applications and data, for all users - both regular and administrative - for the entire organisation. You will almost certainly need to have full single sign-on (SSO) for all your applications and services.