James R Quick,Director, Solutions & Advisory for Simeio Solutions, tells us it’s time to get rid of passwords and instead automate and secure the authentication process.
There are two things we can do to secure our corporate assets; get rid of users or eliminate passwords. I say that tongue and cheek, but there’s truth to half of that statement.
Ok. We obviously need users but employees are on the front lines in a cyberwar over corporate and consumer data, battling myriad cyberattacks. Most data breaches are caused by credential theft. That’s why, our most important endpoints are users. They are the most likely to unknowingly give away the ‘kingdom keys’.
I’m not being flippant about passwords. I’d like to see them gone. The best way to eliminate nefarious activity from stolen passwords is to eliminate them. To secure employees, systems, applications, corporate secrets and consumer data, we must rein in repetitive and weak passwords that expose organizations to attacks.
Time to shift away from passwords
Everyone recognizes password weaknesses. We’re frustrated with having to create and remember them, and where we stored them. So, we repeatedly use the same weak passwords, that are easily memorized. We know this creates a security risk but do it anyway.
Security teams are overwhelmed managing, storing and protecting credentials. They may not have the budget or resources for the most up-to-date systems. They might lack the processes and policies to consistently update software, and don’t have the domain expertise to keep up with the latest technologies to protect their business. They know hackers can acquire user credentials and move laterally across their network to access anything they want. They’re also challenged to keep up with ever-growing privacy regulations.
A password replacement must be pervasive
Our smartphones are almost another appendage. They’re with us constantly and are ubiquitous in our personal lives and business. While there are many methods and strategies for avoiding stolen and misused passwords, there is one that scales and permeates our personal and business activities. We can harden endpoints, like smartphones, tablets, smart speakers and laptops, with standards-based public key cryptography.
How it works
Secure key-enabled user devices remove the need for passwords, eliminate user registration and login friction, and globally scale. To initiate the process, users authenticate with the website using their device’s private key, which responds to the website’s security challenge.
The private key can be used only after the security code has been unlocked by the user, by swiping a finger, entering a PIN etc. The device creates a new public/private key pair, unique to the online service, and the user’s account. The public key is sent to the online service and associated with the user’s account. The private key and local authentication information never leaves the device.
Passwords require human interaction which is a formula for disaster. We must automate and secure the authentication process. This means removing people from the equation. While there are many approaches to eliminating the password conundrum, standards-based public key cryptography provides strong authentication that scales and can be deployed on devices we use to register and login to online applications and services.
Click below to share this article