Passwords: it’s time to move on.
January 14, 2024
I get confused every day because you’re so complex....
I’m tired of everything changing every three months....
It's not me, it's you.
Bruce Schienier said it best; “only amateurs attack machines, professionals target people”, and it’s something we continue to see time and time again as breaches of the largest companies across the earth take place.
There’s a consistent theme in nearly every breach of recent times; credential theft.
A few years ago, some commentators began referring to passwords as ‘hope-based authentication’, given we hope we can remember passwords, not reuse them, and we hope they don’t get stolen.
Moving away from knowledge-based authenticators such as passwords and secret questions is paramount to significantly shifting the needle. If Passwords were a relationship, it would be time to pack our gear, move out, block their number and never speak of them again.
Both major cloud Identity players, Okta and Azure AD have features to enable passwordless; Okta OIE with fastpass and Entra ID (Azure AD passwordless).
When we first deployed password-less for a client using Okta back in 2021, we noticed the immediate positive impact; users were no longer susceptible to direct credential phishing.
As soon as users opened a phishing email with a fake login, they would immediately close it as they were never asked for a password in their day-to-day login experience. Whilst they did set a password on day one, day to day they used a combination of Windows Hello biometrics, hardware tokens and push notifications with number matching.
This profoundly improved the user experience too, reducing the steps to get access, and avoiding those pesky password recovery steps or late-night service desk calls.
Getting to passwordless isn’t impossible, we have assisted a number of customers in making the journey, and in many cases in the context of supporting the adoption of a zero-trust architecture.
By assessing your existing identity provider technology capabilities, mapping user experience and security requirements, it is possible to rollout this experience to your users progressively, ensuring passwords take a back seat.
Want to remove passwords from your organisation? Get in touch.
So here’s to you, passwords. It was great to know you, it was fun to attempt to remember you, but I think the world we know will be a better place without you now.