Poor password hygiene remains a key security weakness for many businesses. All employees know that a password should be long, complex, unique and never shared with anyone. Although this is simple in theory, in practice it can be difficult to remember a new complex password for every application or system. For this reason, it is common for employees to re-use passwords, or opt for a simple, easy to remember password. This is worrying, as a single user with a simple password may be the cause of a major cyberattack.
The introduction of multi-factor authentication has greatly reduced this risk, however it has come at the cost of convenience for users. The adoption of passwordless authentication aims to increase security, whilst providing a better user experience. In this article we will discuss the benefits, challenges and use cases for passwordless authentication.
What is Passwordless Authentication?
Passwordless authentication is a method of multi-factor authentication that negates the need for passwords. This is achieved through systems that verify a user’s identity using something they are (such as biometrics), or something they have (such as a mobile device or security key). When the user requests access to an application or system, a new authentication request is generated. Therefore, the user does not need to enter a password, and no password is stored within the platform, therefore there is nothing for a cybercriminal to steal or phish.
Improved User Experience
Thankfully, Microsoft has created and implemented detections for this malware family via Microsoft Defender Antivirus and Microsoft Defender for Endpoint for both on-premises and cloud environments. If your business has either of these solutions, it will be protected from this attack.
Attacks from nation-state actors are often highly sophisticated and difficult to detect. However, in general, business should follow the below steps to avoid falling victim to an attack:
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
- Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
- Implement a comprehensive email security solution to reduce the chance of a phishing attack
- Keep all systems, operating systems and applications up to date with security patches
- Implement a disaster recovery plan and make use of a backup solution Therefore, if your business does fall victim to an attack, there is not significant downtime or loss of data
This attack is another example of how the cybersecurity threat landscape is constantly evolving with hackers disguising attacks and launching destructive multi-stage attacks on a wide variety of businesses. This also further proves, no business is safe from being the target of such an attack, regardless of industry, geolocation or size.
If a cybercriminal gains access to an employee’s password, they can use the compromised account to access company data or launch another attack. With this form of authentication, this is not possible as it is not possible for a cybercriminal to steal biometrics from an individual. Similarly, as there is no password, phishing attacks are no longer a viable method of account compromise.
Save Time and Money
IT teams spend a significant amount of time resetting employee’s forgotten passwords. With passwordless authentication, it is not possible to forget a password, or need it reset. This allows IT teams to spend more time focusing on optimising current use of technology within a business and ensures that employees do not lose access to critical IT systems whilst working.
Ultimately, businesses will benefit from implementing a passwordless authentication solution, however they may run into some challenges along the way. The main challenge of passwordless authentication is the deployment process, if a business does not have experience with the technology, or visibility of all the applications and services employees use, deployment can become difficult and complex. This can be solved by using a trusted IT provider to deploy the solution within a business. Some businesses may also run into issues with providing a solution that suits all employees, thankfully with Azure AD there are multiple deployment options to suit a variety of use cases.
Windows Hello for Business
Windows Hello for Business is an option that utilises two-factor authentication with a PIN and biometric authentication. The biometric authentication works by using pre-existing hardware on an employee’s work device. This may include either a fingerprint scanner, or facial recognition using the in-built camera. This method is more secure and convenient than a traditional password as it uses multi-factor authentication, and the biometric authentication only requires the user to touch a sensor or look into their camera. However, this method will not work if the employee’s device does not have a fingerprint scanner or in-built camera.
Microsoft Authenticator App
The Microsoft Authenticator app is another method of passwordless authentication that uses either biometrics or a PIN, similar to Windows Hello for Business. This option requires users to have the Microsoft Authenticator app installed on in their Android or IOS device. When the user reaches the login screen and enters their username a push notification will be sent to their phone, opening the Microsoft Authenticator app. They then enter either a PIN or use their phone’s native biometric features. This method works particularly well for businesses that already use the app for multi-factor authentication.
FIDO2 Security Keys
FIDO2 security keys are physical devices that work similarly to a key for a car or house. The keys come in many form factors, including USB devices, an NFC chip or a Bluetooth device. With this option, an employee must connect the device and they will be automatically logged in. This method is typically used by businesses that are particularly security sensitive or have employees that would rather not use biometrics or their phone for authentication.