Passwordless Authentication

Integrated Solutions and Microsoft are on a journey to get rid of passwords. Why? Simple. All users, including IT administrators, hate passwords. They are hard to remember, they are hard to get right, and they are used for everything. Hackers however, love passwords. A 2017 Verizon study showed that 81% of data breaches involved a weak, default, or stolen password. Hackers have a list of stolen passwords and are trying them against our accounts every single day.

 

Multi-Factor Authentication (MFA) is a great security challenge to add on top of passwords, however MFA still presents another layer of inconvenience for users to navigate, plus it is still susceptible to man-in-the-middle and phishing attacks.

 

So, if passwords on their own offer low security, and passwords AND multi-factor authentication offer high security but low convenience, then the challenge is to achieve high security and high convenience. The solution is passwordless authentication.

What is Passwordless Authentication?

You have probably already been using passwordless authentication without realising it. Passwordless authentication is used on modern devices to unlock them, for example, when you use your fingerprint or your face to unlock your phone. Passwordless authentication is used by leveraging a simple and common architecture, a public key technology. Each end point (Laptops/Desktops and mobility devices) has a unique private key (bounded to a single device and never shared) that is protected by a localised gesture (e.g., biometric – face recognition or fingerprint, PIN), and that private key is paired with a public key that is registered in Microsoft’s Azure AD.

How Does Passwordless Authentication Work?

To get passwordless authentication to work on your device, the User Authentication Process is:

  1. Users will perform the gesture to log in to the device
  2. The cloud (e.g. Azure) then sends a signal to the device
  3. The devices accepts and signs the signal using the private key – using the biometric to perform the signing
  4. The cloud service matches the signed key with the public key and authenticates

Advantages of Passwordless Authentication

The biggest advantage of passwordless authentication is that is makes it incredibly easy for users to log into their devices and services legitimately, whilst enabling strong security measures. Passwords also do not need to be changed as frequently, reducing the need to remember countless passwords therefore, reducing the need to engage IT Service Desk to reset forgotten password.

 

With the rapid change of technology, if the technology is not made convenient, simple, or secure, user acceptance and compliance become challenging. Passwords are quickly becoming a relic of the past. At Integrated Solutions, we can support our partners achieve the seamless balance between security and convenience.