Passwords have been used for many years to protect data and accounts. Despite being used for security purposes, using passwords is not always the best option. That is especially true when combatting cyber security threats. In fact, passwords can be seen as a weakness.

The Passwordless Authentication Path

Various risks come with the use of passwords. For example, users can forget about them. They are also easily compromised since many reuse passwords across different systems. Passwordless authentication is seen as a better alternative.

As the name suggests, password-free authentication includes the use of alternative authentication methods instead of relying on passwords. Common methods include the use of a secondary device or account for verification and biometric authentication.

Aside from reducing cyber security risks, going passwordless can help make reduce friction so that users will have a smoother experience. On the side of an institution, it helps reduce expenses. At the same time, it can help increase sales or the number of users.

Implementing Password-Free Authentication For Cyber Security

There are different ways of applying passwordless authentication. It is also more complex than one may think. Depending on what a company chooses, it may require having dedicated development resources for a long time.

Fortunately, working with a trusted service provider can help organizations skip some steps. In fact, with the help of a service provider, organizations can easily implement passwordless authentication for their users.

What Nok Nok Has Learned

The passwordless journey does not happen overnight. That is one of the main points Nok Nok has pointed out in its presentation at Authenticate 2021. The reasons for this include existing systems and processes being deeply rooted in security practices. It also takes a lot to develop behavior change, which is something necessary to fully adopt passwordless authentication. Additionally, the passwordless journey is typically included in a larger digital transformation.

Nok Nok also shared some of its experiences in applying password-free authentication in systems from different institutions. Based on the results of these partnerships, Nok Nok is proud to share that all companies have seen success.

Among the most notable statistics include the following:

• 10% improvement in onboarding success
• 50% reduction in onboarding time
• 6% increase in sign in success
• 78% increase in sign in speed

Going password-free comes with many benefits for both the institution and end-users. However, it is important to ensure proper implementation.

If you want to learn more about safer authentication techniques for better cyber security, contact us at Nok Nok.

Cybersecurity is one of the pressing issues that the United States is facing. Threats affect the government, organizations, institutions, and even individuals.

The Identity Theft Resource Center (ITRC) said there were 1,291 data breaches publicly reported in the U.S. from January to September 2021, affecting about 281 million individuals. In comparison, this total is 17% more than the recorded breaches during the same period in 2020.

Government Efforts: The Federal Zero Trust Strategy

To address this problem, the government looks for ways to improve cybersecurity. On January 26, 2022, the Federal Zero Trust Strategy was released. The Office of Management and Budget (OMB) published the strategy as Memorandum M-22-09. Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.

This move aims to promote a better security approach through government-wide efforts, setting a new baseline in terms of access controls. An important point to highlight is the prioritization of using phishing-resistant multi-factor authentication (MFA). Additionally, there is also a need to consolidate identity systems for improved protection and monitoring.

Understanding the Strategy

At the core of the strategy are two main focuses — the vision and actions on identity.

Generally, staff members of government agencies have to use enterprise-managed identities to get access to applications used for work. Phishing-resistant multi-factor authentication must be in place to protect said personnel against more sophisticated cyberattacks.

Three actions must be taken.

First, the agencies should have centralized management systems for users. 

Second, they should use strong MFA throughout the organization. Specifically, all agency staff members, contractors, and partners have to use phishing-resistant MFA. Meanwhile, public users should be given this option. Furthermore, it should not be required to use special characters for passwords or have regular password rotation.

Third, agencies should consider having at least one device-level signal when giving users authority to access resources. This signal is additional security alongside identity information about the authenticated user.

The FIDO Standard

Through the announcement of the strategy, the federal government also encouraged using FIDO2 standards. Thus, further recognizing the FIDO Alliance’s efforts to promote the use of phishing-resistant multi-factor authentication and reduce people’s over-reliance on passwords.

The FIDO2 is FIDO Alliance’s newest set of specifications. It includes Web Authentication (WebAuthn) specification and Client-to-Authenticator Protocol (CTAP). Learn more about the FIDO2 Project here.

The U.S. Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) recently released its updated multi-factor authentication (MFA) guide. In it, the CISA also flagged FIDO as the gold standard for MFA.

FIDO Alliance, an open industry association that aims to develop and promote authentication standards, welcomes this development. The update is aligned with FIDO’s mission of reducing the over-reliance of the world on passwords. With this and the new Federal Zero Trust Strategy, the U.S. government is seen to send a clear message that the use of FIDO standards is preferred.

Understanding MFA: What It Is

Authentication is one way of ensuring cybersecurity. It is the process of validating a person’s identity and credentials, ensuring that they are who they claim to be. To further strengthen security, multi-factor authentication was introduced. It is also known as two-factor authentication. 

As the name suggests, it includes a combination of authentication methods. For instance, a user wants to access their bank account online or through their bank’s mobile app. They will have to go through MFA, which uses knowledge, possession, or traits.

Having multiple steps makes it harder for hackers to crack, steal, or compromise accounts.

Enabling MFA

The CISA offers a detailed guide — from the planning to the execution phase. Organizations can use this to strengthen their authentication process. 

Its latest update on the MFA guidance, however, emphasized ways of enabling MFA. Among the different forms of authentication that the agency enumerated are text message (SMS), email, authenticator app, and push notification.

Additionally, the CISA mentioned the use of the FIDO key. 

Fast Identity Online (FIDO) refers to a set of standardized authentication protocols that can help ensure cybersecurity while reducing reliance on passwords. It is built into the major browsers and phones. Meanwhile, the FIDO key refers to a portable security key. It is a hardware device to be used as an additional authentication method as part of an MFA. You can think of it as an encrypted version of your house key. 

Using these security measures can help make it more difficult to access information. It is especially needed nowadays as passwords and usernames are often compromised by various attacks like phishing and more sophisticated password cracking techniques.

Furthermore, CISA recommended using multi-factor authentication on email accounts, financial services, social media accounts, online stores, and even on gaming and entertainment streaming services. The agency also encouraged consumers to request companies and organizations to enable MFA for better security. 

As technology advances, so does cyberattacks. Hackers find more sophisticated ways to overcome cybersecurity. To protect data and information systems, organizations use authentication.

What It Is

Generally, authentication refers to the process of recognizing user identity. It is often seen at the start of applications.

Different credentials may be involved. These can be categorized into three. 

The first one is knowledge. The application or system will ask for something the user knows. It can be a PIN or a password.

The second category is possession or something that the user has. It can be an authentication application or SMS-based one-time passcode (OTP).

The third type is traits. This one refers to something that verifies who the user is, such as a face scan or fingerprint. 

Different Authentication Methods

For cybersecurity, the best approach is to have multi-factor authentication or what some may know as two-factor authentication. However, only 2.3% of Twitter active users are using this method as reported in the social media company’s Account Security Report.

Among those who said they take advantage of two-factor authentication, 79.6% use SMS-based OTPs. The problem is that SMS is one of the least secure methods of authentication.

It is important to understand that not all multi-factor authentication systems are the same. Some utilize more secure methods than others. To better understand this, it is necessary to get to know some of the authentication methods often used in two-factor authentication.

• SMS-based OTPs: Having SMS-based authentication implements multi-factor authentication. However, it is seen as the least effective when it comes to preventing common cyberthreats and attacks, including SIM swap and phishing. It is also not the most convenient method.
• Authenticator Apps: The user installs an authenticator app, which continuously generates new codes to show proof that the user owns the device tied to their account. While it may be better than SMS, using authentication apps is still open to the risk of getting intercepted through phishing and advanced attacks. 
• Security Keys: These refer to physical authentication devices. The user will connect to their device through Bluetooth, NFC, or USB. The security key will serve as their proof of identity when trying to access an application or website. To ensure maximum protection, having security keys that are up to FIDO standards is the best option. 
• Biometrics: Biometrics refers to a trait unique to the authorized user. It can be a face scan or fingerprints. On-device biometrics that follows FIDO standards do not only offer convenience but also have phishing-resistant technology.

To further improve cybersecurity, organizations and service providers must offer simpler but better authentication options. Then, the next step is for them to convince their users and clients to enable two-factor authentication.