Problems with Passwords

We all know that it is risky to authenticate employees, contractors, citizens and customers with passwords. The proof is in the seemingly endless list of credential based security breaches that we see in the news every day.

There is also no doubting the devastating business impact of these breaches. It’s estimated that the average ransomware payment reaches almost $1.5 million and the average cost of business interruption from ransomware tops $5 million, according to a Lockton report.

What can we use instead of passwords that will prevent these breaches and keep our workforce, citizens, and customers safe?

This is what our chief strategy officer, Mike Engle, and Aite Group Senior Analyst, Steve Hunt, discussed in our on-demand webinar “Passwordless Authentication has an Identity Crisis”.

Steve Hunt shared his insights from his research into the factors that motivate many organizations to augment or replace passwords. Mike Engle explored Identity Based Authentication as the solution which eliminates passwords while giving organizations certainty about who is on the other side of the digital connections in their network.

Do 2FA, MFA and Passwordless Solutions Prevent Breaches?

Although 2FA adds a trust signal, it unnecessarily complicates the user experience by sending users on a chase for text messages or one-time codes sent via email. Most importantly 2FA does not solve the fundamental problem with passwords because the identity of the user still isn’t proven.

Similar to 2FA, the challenges of MFA solutions are tied to one primary challenge in proving a user’s identity. MFA solutions, even modern biometrics, don’t include one of the most important, and perhaps even necessary, aspects of authentication: demonstrating that the person actually accessing an account is who they say they are. This is because biometrics do not equal identity.

When you provide a password or a PIN, or even a code sent to you via SMS, the system assumes that you are who you are because only you should have access to those resources. We all know, however, that security is imperfect. Even modern biometrics, as far as they’ve come, can be spoofed or faked. There are solutions that attempt to mitigate bypassing multi-factor authentication like FIDO2, but not every authentication solution follows this standard and, following that, opens the possibility of account breach even with MFA enabled.

Unfortunately, most passwordless solutions on the market today struggle with the same challenges as MFA. This is because their passwordless solutions are still using password based systems that are not bound to a proven identity. Although many companies are going passwordless, they still do not know who is on the other side of the digital connection unless their passwordless solution is leveraging biometric, identity based authentication.

While 2FA, MFA, and passwordless solutions are more secure than older forms of authentication, we must take our security even further with critical identity proofing measures. This form of proofing includes using authorized agents to perform document and physical proofing in-person or virtually. With this additional level of security, your system can know that whoever is accessing a system is who they say they are.

Why Does Identity Based Authentication Solve the Fundamental Issue With Passwords?

Bringing identity based authentication into your security architecture ensures that you know that the people who are accessing your networks are who they claim to be, always. What does this look like in practice?

To implement identity-based MFA, users would need to verify their identity using government, telco, and banking credentials. Then, once verified, workers, partners and customers would use their digital identity to be recognized at login or transaction approval, providing them ease of use and organizations a high level of assurance for who is at the other end of the digital connection.

How Flexible Is Identity Based Authentication?

Organizations can build verification workflows to proof identities with flexible levels of identity assurance. The advantage of 1Kosmos BlockID Verify is the flexibility of assurance levels it can support. Organizations can choose the assurance their business needs right up to and including KYC, NIST 800 63-3 standards for Identity Assurance Level 2 (IAL2) and Authentication Assurance Level 2 (AAL2).

Once verified, the employee, contractor, customer or citizen will use their digital identity rather than a username and password for account login or transaction approval, providing them with a positive user experience and the organization with a high level of certainty for who is at the other end of the digital connection.

Depending on the business need, organizations can match the verification level to the assurance requirement. For example, one might require a higher level of assurance for a user transferring $10,000 than a user using a photocopier.

Adding flexible levels of assurance as a key pillar to network security helps CISOs regain control of their IT services from anonymous users hiding behind compromised logins. With identity based authentication organizations will no longer be held hostage to data breach, ransomware, and financial fraud perpetrated via identity deception.

Are you interested in learning more? Download our Passwordless Authentication has an Identity Crisis webinar with Aite Group. Whether you are new to passwordless or are looking to upgrade your strategy, this webinar is full of actionable takeaways.