Commissioned by Duo Security
1 Introduction / Executive Summary
Passwords have been beyond their "sell-by" date for over twenty years and are being regularly exploited with lists of usernames and passwords being tr ...Login Get full Access
2 What does "passwordless" have the potential to fix?
Passwords are a binary authentication mechanism, generally set and managed by IT. Once a user successfully completes the password challenge then that ...Login Get full Access
3 Passwordless Authentication Overview
The concept of "passwordless" authentication has been gaining significant industry and media attention. The reason for this is clear: our digital live ...Login Get full Access
3.1 Why passwordless can be better and more secure
To understand why a passwordless system has the potential to be better and more secure, it is first necessary to understand why passwords are failing ...Login Get full Access
3.2 Acceptance of alternatives
Alternatives to passwords are becoming accepted by both users and information security professionals.
Phone apps that give users the convenience ...
3.3 Ability to implement alternatives
Alternatives to passwords are getting easier to implement in systems and applications due to the increasing ubiquity of standard APIs (Application Pro ...Login Get full Access
4 Passwordless authentication in detail
Properly implemented, passwordless authentication has the ability to provide a better user experience coupled with increased security.Login Get full Access
4.1 How passwordless actually works
Passwordless authentication is a method of verifying users' identities without the use of passwords or any other static secret that can be captured, g ...Login Get full Access
4.2 Minimising user friction
Users want to take the path of least resistance; in the corporate environment this typically manifests itself with people choosing weak passwords or w ...Login Get full Access
4.3 Providing higher levels of assurance
When a higher assurance level for the identity of the user requesting access is needed, there are typically two methods employed; step up authenticati ...Login Get full Access
4.3.1 Step-up Authentication
Step-up authentication only requests a further level of security check when the risk-tolerance for the transaction being undertaken demands it.
4.3.2 Adaptive & Continuous Authentication
Adaptive & continuous authentication takes advantage of contextual and behavioural aspects to assess the risk of an access attempt and adapt the type ...Login Get full Access
4.3.3 Monitoring access risk
Adaptive & continuous authentication works both ways, and by monitoring when user context changes rapidly or looks anomalous or risky then access can ...Login Get full Access
4.4 Increasing trust in authentication
If we're going to remove the shared secret (password) then it is critical that we have higher levels of both trust in, and visibility of, the authenti ...Login Get full Access
4.4.1 Confidence in the health and status of devices accessing applications & systems
There is a need to be even more confident in the health and status of the devices (Windows, MacOS, iOS and Android) that are accessing applications; a ...Login Get full Access
4.5 The smartphone at the heart of your passwordless strategy?
For many the ubiquity of the smartphone may point to it being the obvious choice to be at the heart of any passwordless strategy. This has led to ques ...Login Get full Access
Implementing an alternative to passwords requires a strategic approach. The danger is that all the existing authentication methods remain and the resu ...Login Get full Access
5.1 Your strategy should consider
As part of planning any new system it is important to clearly understand the following:
What any new authentication system will allow you to rem ...
5.2 Implementation issues to consider
A new MFA/Passwordless solution has the potential to be a strategic benefit to the entire business, if planned and implemented properly, touching on a ...Login Get full Access
5.3 Overlap with other technologies
Any replacement authentication system will likely need to interact with more than just the systems you physically own and directly manage. It should a ...Login Get full Access
5.4 Wider Security Issues
In any strategic approach there are always questions you should ask yourself as a sanity check to your proposed solution and/or the processes that sur ...Login Get full Access
Replacing a complex IT infrastructure that has been underpinned by username-password authentication will need careful planning if it is to be a succes ...Login Get full Access
7 Related Research
- Bruce Schneier (2011). “Secrets and Lies: Digital Security in a Networked World”, p.131, John Wiley & Sons
- Where financial systems are under PSD2 then step-up authentication is being retrofitted for compliance
- General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas
- The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States
- World Payments Report 2017, bank executives ranked distributed denial of service (DDoS) attacks (50%) and customer payments fraud (31.3%) as the top two security challenges they face. https://worldpaymentsreport.com/
- The revised Payment Services Directive, better known as PSD2, is a European regulation aimed at bringing increased competition, transparency and security in payment services.