wladimir1804 - stock.adobe.com

Passwordless enterprise already possible, says RSA

The passwordless enterprise is getting easier to attain as the security industry gears up to support a passwordless future, says RSA’s identity chief

This article can also be found in the Premium Editorial Download: Computer Weekly: From IT disaster to digital innovation at RBS

The security industry has long recognised the need to move away from password-based authentication and is finally on the brink of achieving that, says Jim Ducharme, vice-president of identity at RSA.

“We are on the cusp of some things that can really change the game and make passwordless security ubiquitous,” Ducharme told Computer Weekly, adding that it is already a reality for some organisations.

Enterprise users and security professionals alike are frustrated by the inefficiency and lax security of passwords for user authentication, a recent survey by IDG and MobileIron showed, with 90% of security professionals reporting that they had seen unauthorised access attempts because of stolen credentials, 86% saying they would get rid of password use as an authentication method if they could, and 62% reporting extreme user irritation with password lockouts.

“Most ‘passwordless’ options in the market today do not truly eliminate passwords because, ultimately, they rely on a password for enrolment, account resets or replacing lost credentials, with consumer market options such as the Apple iPhone’s Touch ID and Face ID systems still requiring users to enter passwords or passcodes from time to time,” said Ducharme.

“These and other so-called ‘passwordless’ authentication methods are simply proxies for a password that lives underneath it. The iPhone has done a good job of integrating a passwordless experience to unlocking your device, but there is still a password underneath.

“So although Touch ID and Face ID have reduced the number of times that a password is needed, they have not really eliminated it or improved security because if I know your AppleID and password, I could establish a passwordless biometric authenticator to unlock a device and pretend to be you.”

According to Ducharme, the way to test if an offering is truly “passwordless” is to examine how it handles enrolment and account reset or credential recovery, which RSA has invested in addressing.

“Most security suppliers are typically still lacking the credential enrolment and credential recovery piece of it,” he said. “So while many suppliers have support for passwordless authentication methods and even have them integrated into the back end, they are still rooted in an Active Directory password.”

The key to enabling a passwordless enterprise is to solve these two challenges and give organisations the ability to cope with a wide variety of authenticators, including biometrics, hardware tokens and even mobile devices, said Ducharme.

To meet these challenges, RSA access management products use SAML (security assertion markup language) and other means to integrate a broad spectrum of passwordless authenticators into applications on the back end, and enable passwordless enrolment and credential recovery either by using existing RSA SecureID or third-party hardware tokens that comply with Fido standards or single-use QR codes that customer organisations can send to new employees.

RSA is also working on a third option, which is based on the belief that there is a lot of potential for enabling friends and family to vouch for each other in building trust relationships, said Ducharme. “When you want to enrol in something, you should be able to establish cryptographic connections to other people who are trusted to establish a new trusted relationship,” he added. “So if you lose your credentials, your recovery mechanism is your cryptographic connection to your circle of friends, colleagues and family.”

Despite RSA’s successes in this area, Ducharme said that for the passwordless enterprise to be an option for all organisations, standards such as the Fido authentication standard and the OAuth standard need to be widely implemented.

“For passwordless authentication to be ubiquitous, standards like Fido and OAuth need to bridge that last mile to integrate with applications,” he said. This would enable more suppliers in the security industry to deal with the credential enrolment and credential recovery challenges.

But, for the first time, a ubiquitous and truly passwordless future is within reach, said Ducharme. “Fido holds great promise and is gradually being supported by more browsers, Microsoft’s Windows Hello biometric authentication technology will soon start to be rolled out in enterprises as the latest versions of Windows are deployed, and with each hardware refresh cycle, enterprises are increasing the number of laptops with integrated fingerprint scanners and webcams,” he said.

Read more about password security

Looking to the future, Ducharme believes the security industry needs to be guided by the approach and successes of the anti-fraud industry to shift the focus from the front end to the back end and move beyond conditional access technologies.

“Right now, the biggest area of VC [venture capital] investment in IT security is in all new types of authentications,” he said. “The industry’s propensity is to look at new things that the user has to do to prove that they are who they say they are.

“But if you look at the anti-fraud market, the propensity is for new types of data to look at during that transaction to understand if an activity is anomalous.

“Anti-fraud looks to evolve the controls on the back end of the transaction, but in the workplace, we are constantly looking for new ways to put controls on the front end of the transaction.”

Although there are some advancements in the market with the introduction of, for example, conditional access based on device ID and location, Ducharme said that does not get rid of the password and typically leads to another policy management problem.

“Attackers can find holes in your policies and it is too easy to spoof a lot of the conditional-based access, so while it is better than just a password on its own – and I am not saying don’t do that – it is not sufficient to go truly passwordless,” he said.

By focusing on back-end security controls and processes, said Ducharme, banking institutions have been able to protect the bank accounts of customers that are otherwise protected only by a debit card and a four-digit PIN, which is much easier to remember than a complex, frequently-changing password.

“The IT security industry should tackle the problem in the same way by implementing security controls and adding intelligence on the back end to detect when there is strange behaviour, which is where artificial intelligence [AI] and machine learning risk-based authentication technologies really come into play, much like the anti-fraud industry has been doing for years,” he said, adding that AI and machine learning can detect a lot of the same things as conditional access, but they are not static, are not reliant on policy, and can identify patterns that security teams are unaware they should be looking for.

“There are are all sorts of methods that we are looking at that are largely workflow-based and process-based that remove the need for a password altogether, including back-end processes to support enrolment and credential recovery using backup credentials that are not password- or knowledge-based,” said Ducharme.

“Achieving a passwordless enterprise will make it much easier to manage a dynamic workforce because organisations will be able to provide different credentials for different user populations that are best suited to the way they work and their security requirements.”

Read more on Identity and access management products

Data Center
Data Management