It’s no secret that passwords are often breached, stolen, guessed, reused and simply forgotten. While they’re still the most common form of authentication for companies worldwide to control access to their systems and applications, passwordless access can improve security over the traditional username/password model by removing the human factor from the authentication process. In this article we’ll discuss the fundamentals of passwordless access, how it works, and steps involved for implementation.
How Does It Work?
Passwordless authentication has been devised to remove the human element from authenticating user identity against access rights within an organization’s systems or applications. It doesn’t replace passwords entirely but reduces reliance on them for validation in different ways, which will be discussed in more detail below.
While not a new concept, this emerging authentication method has been enjoying increased popularity in the media lately, thanks to several large-scale data breaches that have fueled concerns about compromised passwords and shared secrets. Passwordless access seeks to address this by focusing on alternate verification factors such as information contained within a person’s cellphone or a one-time code.
Why Passwordless Access is Important for SMBs
Many small and mid-size businesses (SMBs) are still relying on password-based authentication to control access to their company data, applications and other business systems. Strong authentication practices are still lacking in over 75% of SMBs, according to a recent study by Ponemon. While it’s often assumed that smaller organizations are more at risk for breaches with less security infrastructure in place, the reality is that passwordless access can be just as beneficial for these companies without requiring additional expense or complicated implementations.
As with large organizations, SMBs find themselves subject to the same data breach risks as their larger counterparts. This isn’t surprising considering they are increasingly targeted by cybercriminals for the valuable data stored on their systems. Passwordless access can help reduce this risk of compromised credentials and stolen information, simply by removing the password from the authentication process altogether.
Implementing Passwordless Authentication: Steps Involved
There are a few different ways to implement passwordless authentication within your business:
1. Implement App-Based Authentication (Google Authenticator, DuoMobile)
App-based authentication usually requires a user to input their passcode alongside username and password in order to gain access. In case of Google Authenticator or Duo Mobile, the app generates a passcode that changes every 30 seconds which is then presented to the authentication server along with password. This approach is regarded as the simplest and most effective way to implement passwordless access.
2. Use an SMS Passcode (e.g., Authy)
Implementing SMS-based authentication is very similar to app-based authentication but instead of using separate app, the same one is used for both password and code generation/sending. In order to implement it you’ll need to assign an additional phone number that the user will use to receive authentication codes. The good thing is that any smartphone can be used (with or without app) but this approach has its disadvantages. For example, there are numerous reports about SMS being intercepted by cyber criminals so security-conscious SMBs should consider using physical tokens for extra protection against man-in-the-middle attacks.
3. Use Hardware Tokens (e.g., Yubico)
Hardware tokens are physical devices that generate passcode necessary for authentication. The common type of token is USB key where user inserts it into their computer’s USB port, enters the login credentials and authenticates with a tap on the device. This approach is very secure as the key never leaves its owner but it also means that only one device can be used for authentication. Companies like Yubico or Feitian offer a variety of tokens (that differ by form factor and security capabilities) to suit different needs.
4. Implement Combined Hardware+SMS Authentication (e.g., RSA SecurID, SafeNet Authentication Service)
This authentication method combines the highest level of security with ease of use. The user gets a hardware token (e.g., Yubikey) and an SMS passcode delivered to their mobile device (and machine in case it is necessary). This approach provides superior protection against phishing or man-in-the-middle attacks but is also more expensive as it requires a separate mobile number for every user and hardware token.
5. Use Biometric Authentication (e.g., Apple TouchID, Windows Hello)
Biometric authentication makes use of the distinguishing biological traits unique to each person as a credential during the authentication process. In most cases these traits are fingerprints, face, or iris but there is a lot of research going into utilizing palm prints, heart-rate, and even smell as a unique identifier. Biometric authentication was once considered to be insecure as it has been thought that the human body could not be used for secure purposes due its ability to be hacked. However, modern security processes ensure that the biometric data used for authentication is heavily protected.
Passwordless authentication is quickly becoming an industry standard for securing online accounts. You can choose one of the listed options or implement a combination of multiple methods (custom solution) to ensure that your data is secure and dependable on password-based authentication.
Sunvera Software develops next-level software applications from start-to-finish. We are a premier software and mobile app development agency specializing in healthcare mobile app development, custom mobile app development, telehealth software, sales dashboards, custom mobile app development services, retail software development, supply-chain software, ecommerce, shopify, web design, iBeacon apps, security solutions and unified access software.
We are proud partners with Amazon AWS, Microsoft Azure and Google Cloud.
Schedule a free 30-minute call with us to discuss your business, or you can give us a call at (949) 284-6300.