Navigating the Passwordless Future: Enhancing Digital Security

passwordless tech at work

Navigating the Passwordless Future: Enhancing Digital Security

Why isn’t the world moving more quickly towards passwordless tech?

Passwords have long been the bedrock of cybersecurity, but let’s face it, they aren’t a great solution, especially when personal and financial data is at risk. If you show me a news article about a high-profile breach, I’m probably going to point to reliance on passwords as one likely cause. 

Examples: 

  • In 2020, Ticketmaster pleaded guilty to a charge of repeatedly and illegally accessing competitors’ computers. How? They had an employee who used to work for a rival company. That employee was able to the login credentials for multiple corporate accounts at that rival company to steal information. 
  • Also in 2021, the New York City Law Department ended up exposing the personal data of thousands of city employees. This included evidence of police misconduct, medical records for plaintiffs, and more. All because of a single employee’s stolen email account password.
  • 23andMe, in 2023, exposed data for millions of users, thanks to hackers using all the bad passwords they could find to run what’s called credential stuffing attack that got them into the systems where they could harvest data to their dirty little hearts’ content.

What’s so wildly frustrating about all this is that there are better ways to secure accounts! We just have to get companies to support them.

So, let’s look at a more secure alternative.

The Case for Going Passwordless 

Older passwordless solutions, like hardware tokens and smart cards, definitely offer enhanced security. You have to physically have a thing in order to access a thing. Combine that with something like biometrics, and suddenly you have two-factor authentication: something you have and something you are. I’ll be the first to admit, though, that diving straight into requiring a physical … something … to log in is not going to be the solution for everyone. It’s an extra step, and it involves someone buying that physical thing. There is always cost associated with security that may outweigh the data you are trying to protect. 

The really good news here is that cute little hardware tokens that you are going to lose, or, if you’re like my friend Sarah, will need to put on a pair of earrings so you don’t lose them, are no longer your only option for going passwordless. Enter in, stage left, passkeys!

About Passkeys

Passkeys are a technology that feels almost too good to be true, because they can work with your mobile device OR with a hardware token. What you use to store your passkey depends a lot on what security model you’re following: super duper high levels of security, or a casual, please don’t access my New York Times subscription model. If you want the full gory details of how passkeys work, I suggest you go down the rabbit hole at the FIDO Alliance website. They’ve got a great primer at https://fidoalliance.org/passkeys/

No, really, what is a passkey?

So, what is a passkey? A passkey is a digital credential, like an electronic key in this case, tied to both a user account and a website or application. Users can authenticate without having to enter a username or password, or provide any additional authentication factor, because they have this key, which is entirely under their control and can’t be shared or stolen the way a password can. When a user is asked to sign-in to an app or website (basically unlocking access with the key), the user approves the sign-in with the same biometric or PIN that the user has to unlock the device the passkey is stored on (whether that device is a phone, computer, or hardware key).  It’s really just that easy to use. If my cats had phones, they could totally do this.

One of my favorite things about passkeys, when they comply with the FIDO standards that define them, is that they can’t be phished. Anyone spoofing an email, phone call, or SMS asking for your password or the code you received in a text message is out of luck. 

So now we have something that’s actually easier to use than a password because we don’t have to type anything in AND is more secure. So let’s talk about making the business case. 

Crafting Your Business Case

I’m going to suggest that to advocate for passwordless systems, you need emphasize the benefits: enhanced security, potential cost savings, and a smoother user experience. What organization doesn’t find that attractive? I’m also going to go ahead and recognize that if you are working in a regulated industry like banking, a lot of this is already old news to you. Why? Because if you’re in the US, the Federal Trade Commission has required MFA since 2021 through its Standards for Safeguarding Customer Information. If you’re in the EU, you have similar requirements not to mention the recommendations in eIDAS 2.0 and the NIS 2 directive.

But, for the rest of us, yay, let’s emphasize the benefits! But who are you emphasizing the benefits to? If you’re in the IT security department, you probably don’t need to be convinced. But there are a variety of other stakeholders in an organization that you can get on your side. If you’re in a big company, your HR, Legal, PR, and Financial departments might have a thing or two to say about protecting the company’s reputation by avoiding being lit on fire in the news because of a cybersecurity breach. They might also be really fond of the idea of having an argument to lower the tech insurance costs. And if you’re in a regulated industry like banking, healthcare, or are handling government contracts, then this is an obvious requirement to pass those audits. So, yep, lots of positive reasons to make these changes.

Whether your company is in the business of IT or not, better security is critical. If you have an Internet presence, if your employees log in to something to do their work, and especially if you have consumers, there are a lot of business cases you can make for moving away from a pure password model into something a bit more technologically sexy and secure.

Embracing Multi-Factor Authentication

Jumping straight to a passwordless world might be a bit too much to expect, and look a little too much like arcane magic to your executives. There are still things you can do to make your reliance on passwords a little less fraught with peril! And that’s requiring multi-factor authentication. MFA, which also encompasses two-factor authentication, requires at least two out of the following three things:

  • something you know
  • something you have
  • something you are

So, like a password, a physical token, or your biometrics. In some cases, you may want to require all three! It depends on what you’re trying to protect. 

More systems are ready to support MFA than they are to support passkeys. One of your limiting factors in convincing your organization to support passkeys is that the software you use might not support it yet. OK, I get it, but if your software or services doesn’t support MFA yet, you really need to have some stern words with your vendors. 

There is a lot of information out there about best practices when it comes to how to deploy MFA. I want to highlight two articles from the IDPro Body of Knowledge that should be required reading in this space:

When your organization considers rolling out MFA or starts to evaluate MFA as part of their vendor evaluations, these articles will give you some really good things to think about when it comes to balancing what individuals need versus what’s the best shiny object for cybersecurity professionals, and what is best practice all around. Go read them.

Transition Strategies and Best Practices 

You’ve made the case. You’re going to start with pushing MFA as a little less scary, a little more supported. But there are a few of your vendors or services ready to dive straight into the passwordless universe. That’s brilliant! However, as much as I love MFA and passkeys, and I want you to get there, I’m telling you right now, don’t just throw your user base into this brave new world and think that’s going to work for you.

Start with pilot programs, evaluate feedback, and scale up. You’re going to need to convince some people that the magic of passkeys is really more secure. You’re going to need to get them to understand that yes, their account even though they are just a junior staffer in the PR department, using MFA is important. You’ll need different arguments for different stakeholder groups, and that’s ok.

For your executives, cite successful case studies to demonstrate the effectiveness and compatibility of MFA or passkeys with existing systems. A basic Google search will net you several examples; if you’re using a vendor like Ping or Okta, they almost certainly have more. For your line managers, they might be more compelled if you pointed them to a thread on LinkedIn about “How do you train your employees to use multi-factor authentication securely and effectively?“ where their peers talk about the benefits of MFA.

There are other organizations that are paving the way. Google Identity has some great developer documentation about passkeys. Okta has some pretty good stuff about MFA.

The Road Ahead

it’s going to take time for your organization to actually move, especially if you’re just starting to make the case for this change. This is good, because there is still one rather important kink to work out, and that’s account recovery. If, or more to the point, when, you lose your hardware token, phone, or whatever device you have your passkey on, you have a problem, and it’s not one a helpdesk can easily help you solve. 

At least at the moment, some of the best advice in high-security situations is to make sure you’re protected against losing your hardware tokens, have more than one hardware token. Not the best model ever, to be honest. There are other points to consider as well, and for all of those fine points about account recovery, I’m going to point you right over to the article on Account Recovery by Dean Saxe over in the IDPro Body of Knowledge.

The journey to a passwordless future is ongoing. Stay informed about emerging technologies, educate your team, and be a proactive advocate for advanced security solutions in your organization.

Wrap Up 

There you have it: my thoughts on how you can and should advance towards a passwordless future while bolstering security with multi-factor authentication. This post is purely a place for you to start; it should inspire you to encourage change both in how you handle your own accounts and how you take action for organizational change. 

I love to receive comments and suggestions on how to improve my posts! Feel free to comment here, on social media, or whatever platform you’re using to read my posts! And if you have questions, go check out Heatherbot and chat with AI-me.

Previous Article
Next Article

Heather Flanagan

Principal, Spherical Cow Consulting Founder, The Writer's Comfort Zone Translator of Geek to Human

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Spherical Cow Consulting

Subscribe now to keep reading and get access to the full archive.

Continue reading