Martin Ladstaetter, Senior Vice President and Head of Identity & Access Management Solutions at HID Global.
Historians believe that the first computer password was was created in 1961 by MIT computer science professor Fernando Corbató, who needed a way to manage access to a time-sharing computer. A year later, one of Corbató’s colleagues noted the first case of password theft when he print a log of these passwords and used them to increase the number of hours he could work in the system.
Since then, we’ve all become familiar with the weaknesses of passwords: hard to remember, easy to steal, and time-consuming to manage. However, few alternatives have emerged that are as simple, especially at the enterprise level. Organizations are stuck trying to improve passwords. We forced users to choose stronger passwords, made them change passwords every few months, and added multi-factor authentication. Still, we are spending considerable sums of money regarding password-related support costs. To address this, the The FIDO Alliance created one set of templates replacing passwords with secure connections backed by cryptographic credentials that can be embedded directly into almost any device. (Disclosure: HID is a member and contributor to the FIDO Alliance.)
You’ve probably encountered FIDO through the passkey, which is a password-less credential used to access a digital account. Passkeys are resistant to phishing, are widely supported by major technology manufacturers, and have seen increasing adoption in consumer applications from companies such as PayPal, Nintendo and Amazon. Passwords are now available more than 7 billion online accounts.
In this article, we will explore the importance of access keys and some critical elements of this solution to consider. But first, let’s examine how the technology works.
How passwords work
Passwords are private keys associated with a person’s device or account on a particular service or application. For passcode authentication, users unlock the device where it is stored via a user verification method (such as a PIN or biometric ID) and an encryption protocol is run in the background to prove that they still own the passkey. If successful, they are granted access.
There are two ways to store passwords:
Synchronized passwords
These are stored in cloud-based managers where they can be accessed on different devices such as smartphones, tablets or laptops. This allows users to access an account on multiple devices without re-registering each device. It also protects passwords in case the device is lost.
Device-restricted access keys
Device-bound access keys link a specific login credential to a dedicated device, such as a smart card or USB key. Before they can access an account, users must register that card or key and then be able to use it with any phone or computer they’re working on.
Passwords combine an improved user experience with a high level of security. Previously, the same technology behind passwords – public key cryptography – was associated with highly secure deployments in government agencies and highly regulated industries. Now, it is standardized and supported by major platforms and devices, making it accessible to almost everyone.
Passwords are phishing-resistant and cannot be compromised through a corporate network breach, as only public keys are stored on corporate servers. They can also be implemented in various ways depending on the need and use case.
Access Key Development: Which Format Is Best?
Beyond reducing the risk of phishing, passwords can help improve speed access to digital services. Since passwords are responsible for more than 40% for help desk calls, it is an important parameter.
Of course, flexibility brings options, which can be difficult to navigate for organizations interested in exploring passwords and wondering what’s right for them. Here are some considerations to help you make a decision.
Synchronized passwords are convenient and likely familiar to many employees from consumer domains (such as Gmail or PayPal accounts). However, as they are automatically replicated to other synced devices, this can make them difficult for higher security organizations and environments to manage. Bring your own device (BYOD) policies can further complicate matters by making it difficult for organizations to track which passwords are stored on which administrators.
Device-bound access keys provide a higher degree of protection and can increase operational efficiency in carefully designed systems. One of those options is a corporate ID for password-free access to business apps and doors. Through a single card and with a single registration, organizations can deploy passwords connected to devices that allow employees to access not only office doors, but also printers, workstations and digital applications. However, while device-linked passwords are considered more secure than synchronized passwords, they are a challenge if the device is lost or damaged, potentially locking users out of their accounts.
According to the FIDO Alliance, more than half of consumers now are familiar with passwords. However, passwords aren’t the only way businesses can benefit from asymmetric key cryptography—often called backbone of digital security. PKI certificates can also be provisioned to a wide range of devices to eliminate the need for passwords and provide a seamless experience for end users. PKI requires more careful planning and management, but it also offers capabilities beyond authentication and can be used for data encryption and digital signatures.
Password challenges to consider
As its root cause over 80% of data breaches, passwords are a big problem for businesses. Passwords are among the most convenient and widely supported alternatives, but it’s important to understand when they are (and aren’t) a good fit.
Because of the management issues described above, most businesses choose device-linked passwords. For organizations that choose to add the technology to existing corporate ID cards, the change management burden is often low. Conversely, convincing people to bring in a new device can prove more difficult. Most people, however, is interested in improving account security. Helping them understand how and why passwords fit into this goal can go a long way in improving adoption.
Device loss is one of the most common user problems. A strong backup plan—either registering and maintaining a second key or creating alternative authentication protocols to use in account recovery situations—can help mitigate risks. For example, enabling a combination of other factors, including fingerprints or facial biometrics to allow users to recover their accounts, provides the everyday convenience of passkeys with a secure backup method if the passkey should to be replaced.
Passwords and other authentication technologies will always be part of a larger security framework. Evaluate them against the security you need, the workflow that’s best for your users, and your existing IT infrastructure.
Final thoughts
Passwordless authentication has finally reached a tipping point for many as more organizations plan to reduce their reliance on passwords. As companies consider passwords to improve their security measures, it’s important to ensure an effective strategy that plans for potential challenges and better positions teams for long-term success.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Am I eligible?
