Topics In Demand
Notification
New

No notification found.

Forget passwords to improve security #biometrics #MFA #SSO
Forget passwords to improve security #biometrics #MFA #SSO

March 21, 2022

231

0

Digital transformation has gained unprecedented momentum in the past couple of years with businesses striving to remain on the edge, to deal with evolving challenges and gain a competitive advantage. 

This has resulted in a rapid migration from legacy architecture to cloud-based infrastructure, and in the process, businesses are now operating in their newly built hybrid environments. Such always-on, always-available hybrid infrastructure demands a decentralized, identity-centric security system, where passwords become inadequate. 

Identity-centric authentication system typically consists of multiple factors for authentication on top of the conventional password, which is often perceived as the most vulnerable factor. An increasing number of organizations are now getting rid of this vulnerable factor. Forbes reports that 52% of businesses are already using passwordless authentication in some form or the other and this number is only expected to grow. 

Limitations of passwords

Difficult to manage: Password-related issues take up a lot of IT help desks’ support time. The cost involved in IT support and lost productivity caused due to passwords are quite staggering. Reports suggest that a single password reset request costs around 70$. 

Poor user experience: To remember a strong password and type it every time a user is logging in causes a lot of friction in the user experience. Also, the process to reset a password if a user has forgotten one is laborious in most cases. 

Easy to exploit: Malicious forces find passwords as low-hanging fruit and carry out attacks such as phishing, credential thefts, password guessing etc. Usage of weak passwords and reuse of passwords are common practices that make things easy for hackers. 

Ditch passwords to boost security

Passwordless authentication primarily aims to overcome the above limitations and provide increased security while also improving user experience. Here is a look at the steps involved in going passwordless: 

Step 1: Find use cases where you rely on passwords as the only means of authentication. Add an additional layer of authentication using MFA to minimize the dependency on passwords and lower your security risks. 

Step 2: List all use cases where passwords are being used and rank them based on user experience, IT costs, and security risks. Then choose the low-hanging fruits, i.e., the use cases with the potential for the biggest impact across all three parameters in the shortest period and create an implementation plan. 

Step 3: Simplify login processes to improve user experience wherever possible. Deploy Single Sign-On for web applications. Wherever strong multi-factor authentication is in place, reformulate passwords policies, allowing simpler passwords and reducing reset frequency to improve user experience. 

Step 4: Go beyond the passwords and OTPs. Make use of context-aware adaptive policies in high-risk use cases using factors, like locations, time, device, behaviour and more, to increase the strength of authentication. 

Step 5: Once the above steps are taken, passwords become nothing but one among several factors of authentication. So, getting rid of them becomes easier depending on the criticality of the use case. In case of a high impact use case with no margin for error, biometrics-based authentication can be deployed as a foolproof reinforcement before going password-less. 

Going truly passwordless does not just overcome the limitations of conventional passwords – it does much more than that and opens doors to several new possibilities. It is a continuous, challenging process and is a critical part of the digital transformation journey of all businesses. When done right, it serves as the solid foundation on which you can build a sustainable and secure hybrid infrastructure. With the above template, you can kickstart your passwordless journey, in case you haven’t yet. 

This blog was first published on Accops Blog.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


We enable secure efficient and scalable enterprise desktop computing

© Copyright nasscom. All Rights Reserved.