April 6, 2020

All Passwordless Solutions Are Not Created Equal

How often has passwords been the cause of a security breach resulting in damage to an organization? It seems that the news is filled with over 2 billion reported breached or compromised passwords, yet the concept of passwordless authentication still seems like a “nice to have” for the average Chief Information Security Officer (CISO).

What Is Passwordless Authentication?

It doesn’t take a rocket scientist to understand that a passwordless authentication solution is one that doesn’t rely on the ubiquitous username/password combination to authenticate a user. If everyone hates passwords so much then how long should your users have to wait for relief?

The obvious question you may be asking is whether or not a Passwordless Authentication solution is worth the effort? According to a Smarter With Gartner blog by Gloria Omale titled “Eliminate centrally managed passwords for better security, fewer breaches, lower support costs and enhanced user experience.

“Passwordless authentication, by its nature, eliminates the problem of using weak passwords. It also offers benefits to users and organizations. For users, it removes the need to remember or type passwords, leading to better user experience and customer experience. For organizations, there’s no longer a need to store passwords, leading to better security, fewer breaches and lower support costs.”

So, yes, it is absolutely worth your time to make this an integral part of your Identity Access Management strategy.  Now the question is a matter of “when” and not “if”?

Here, There, But Not Everywhere

Even though there is a universal consensus that passwords have long outlived their prime usefulness, most companies still rely on them heavily. Gartner analyst Ant Allan reported in siliconANGLE with a “Cybersecurity Special Report: Rethinking Trust” stating:

“Gartner predicts that, by 2023, 30% of organizations will leverage at least one form of passwordless authentication, eliminating static, stored passwords – a major increase from just 5% that do so today. However, technology constraints make a universal approach to passwordless authentication elusive.”

He goes on to offer three approaches to implementing passwordless authentication today:

  1. Replacing a legacy password as the sole authentication factor: here you replace the use of a login/password combination as the sole authentication factor with something else like your biometrics (i.e. fingerprint or face scan) or a token-based system like FIDO2.
  2. Replacing a legacy password as one factor in MFA: This approach is basically the same as above only instead of just one factor authorization, you are using a Multi-Factor Authentication (MFA) approach where the login/password is replaced as one of the factors. Normally in MFA a login/password combination is supplemented by other authentication techniques like biometrics, FIDO2, captcha, or SMS codes.
  3. Eliminating authentication factors altogether: Referred to as “zero-factor” authentication, this approach leverages rule-based evaluation of network, location and device signal or passive behavioral biometric modes for a more resilient and flexible approach.

A Passwordless Solution You Can Rely On

At Acceptto, we believe the best approach is eliminating authentication factors altogether. More so, we believe that the best approach will also do this on a continuous basis, so you don’t have the problem of identity impersonation after a classic binary authentication process allows a valid credential access.

Acceptto’s eGuardian engine continuously creates and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Behavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

With Acceptto’s Continuous Behavioral Authentication you can ensure:

  • Actionable threat analytics: Real-time, continuous identity monitoring & validation post-authentication.
  • Dynamic authentication: Adjustable, risk-based policy orchestration and continuous enforcement.
  • Credential stuffing neutralized: Eliminate account takeover (ATO) instantly with intelligent contextual MFA.

Check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy.

MFA Passwordless passwordless continuous authentication