In the past, the traditional forms of digital security consisted of a single password for authentication. While convenient in that single passwords are easy to implement and verify, this system was also vulnerable and even inconvenient in other ways. Those vulnerabilities are becoming more apparent as companies move to cloud-based computing and applications, but fortunately, there is a solution like passwordless authentication.

The Password Problems

First, there is the issue with passwords themselves. The weakest security protocol right now is a single-password system because it means that stealing or guessing a password, complete access to data, or complete control of an account is a given. One workaround is to use “strong” passwords that are long, random strings of alphanumeric characters, making them hard for users to remember. So some, due to “password fatigue,” ignore this guidance for convenience. The other solution is to have many passwords to handle different aspects of a system, but due to the number and complexity of passwords, this often requires a passkey manager, which adds an extra layer of interference.

This has resulted in predictable ways to steal passwords. 80% of the data breaches that occur are usually the result of either “phishing,” which tricks users into volunteering passwords through fake emails, phone calls, or other forms of social engineering, or man-in-the-middle attack, which involves spying on a user and monitoring their access activities to steal passwords when they type them in.

The Passkey Arrives For Passwordless Authentication

The passkey concept is a comparatively new idea in digital security, but it brings a lot of promise for passwordless authentication. It is a feature being implemented by companies like Apple, Google, and Microsoft in collaboration with the FIDO alliance that creates strong, cryptographic keys generated for you for easy passwordless authentication. Users that find apps that accept passkeys can have passkeys created for every username or account. That passkey is automatically entered with just one touch, similar to the autofill or auto-correct functions for text entry.

The system even allows people to log in to other devices that don’t have a user’s account or passkey system present. All it takes is activating the passkey feature that then creates a QR code that a user’s phone scans so the passkey on the phone can verify and authenticate everything. It’s just one more way that security is working on more durable systems that can eliminate phishing and man-in-the-middle attacks while making passwordless authentication simple and easy for people to use. If you’re interested in using the FIDO protocol and moving to a password-free system, read here to learn more.

Through its own primary research, Nok Nok has been aware that limited business data exists about the state of today’s system-level authentication processes and its relation to the business impact of authentication failures. As the first initiative of its kind to address this gap, the Ponemon Institute, working with Nok Nok, launched an industry survey of businesses with current digital transformation projects underway.

The key finding of this Ponemon Study is that there exists a gap between IT security and line of business managers in understanding the various risks and impacts facing their organizations from authentication failures. 

Learn The Costs Of Authentication

This is one of the major takeaways from a study called “The Costs of Authentication Failure and Negligence,” conducted last summer by the Ponemon Institute for Nok Nok. According to this research where more than 1,000 corporate participants were interviewed,  it’s not just a customer inconvenience that arises from authentication failures. Organizations are spending on average $3M annually on these failures and the maximum single loss ranges from $39M to $42M. 

These losses include costs associated with downtime and business disruptions while security teams resolved various issues, loss of customers and the lingering effects of poor brand perception. On a corporate scale, the severity of system-level failures grows enormously. It’s one thing if one customer can’t remember a password, but quite another thing if many can’t. Similarly, one person with a seized account or data held for ransom is bad, but an entire organization is catastrophic. The most common reason for these breaches is authentication failures, such as clients taking their business elsewhere due to being unable to remember password guidance or simply being unwilling to comply and going to an organization that offers more convenient but less secure protocols.

This masterclass is hosted by Nok Nok and presented by various experts in the industry, including:

Larry Ponemon, Founder & Chair Ponemon Institute

Phil Dunkelberger, President & CEO, Nok Nok Labs

Jim Delli Santi, VP Marketing & Strategic Initiatives, Nok Nok Labs

Close to half of those surveyed agreed that authentication failures represent a significant security challenge for their companies, and preventing these failures is difficult because today’s MFA solutions negatively impact user experience. And sadly, more than 60% of the respondents detect more than ten monthly authentication failures, with an average downtime experienced by the respondents with these failures is about six hours a month. 

There are several reasons for authentication failures, according to the survey respondents. 

First, criminals using stolen credentials are hard to identify and distinguish from actual employees. Only 13% of the respondents said that it was either easy or not difficult to find the miscreants. About a third of the respondents say their companies have good visibility into credential theft attacks. The survey considered thefts of the user’s actual password rather than random guesses, using that account to make fraudulent purchases or other transactions, and steal confidential data. 

Second, only 19% feel that they have a high level of control over their authentication processes. Next, a total of 33% think that more than half of these failures remain undetected, and two-thirds claimed that the frequency (and 55% for the severity) of these failures has increased in the past year. 

Sign up for the masterclass to gain even more valuable insights about the costs of authentication failures. If you’re interested in learning about the FIDO protocol and moving to a password-free system, read here to learn more.

Apple, the ever-popular alternative to PC-based systems, has announced a slew of new features for its latest operating system update, macOS Ventura. The newest upgrade expands the convenience and functionality of Mac computers for users and introduces many more ways to secure data and devices with passwordless authentication.

Multi-Task Management

For users that need to hop back and forth between different windows on different applications and software, “Stage Manager” is one of the tweaks that can help users to stay focused and on track. Now the primary software being used is displayed as a centralized window, but others that are also “in play” at the moment appear as secondary windows on the side for easier access.

Mail has also been overhauled, with a big upgrade to organization and search features. Email contacts, mail itself, or even specific attached documents or photos can be easily retrieved now. Users can even set reminders to reply to or revisit certain emails within a specified period.

Device Interconnectivity

The new OS is also specifically designed to recognize the presence of an iPhone, even wirelessly. “Camera Continuity” is a new feature that allows macOS Ventura to use an iPhone as a web camera and can connect wirelessly to these devices for use. Users can mount their iPhones on their computer or continue to go handheld as they prefer, with smart features that can dim light or accentuate facial features.

Cybersecurity With Passwordless Authentication

Perhaps most importantly, macOS Ventura has new security features that make device usage safer than ever. Safari browser users can now enjoy a passwordless authentication feature called “passkeys.” Passkeys are digital keys that remain local to a specific device. These passkeys can only be unlocked through different passwordless authentication features based on user availability or preference.

Apple already has different forms of passwordless authentication for users to employ based on biometrics. So whether it is Touch ID or Face ID, users don’t have to worry about memorizing a long, difficult string of random alphanumerics. iCloud Keychain allows this same security to sync across devices like a Mac, iPhone, iPad, or Apple TV, with end-to-end encryption. This security even extends to other non-Apple websites, apps, or even non-Apple devices using an iPhone. 

These steps bring Apple users one step closer to an even safer digital experience that strongly repels attempts at identity theft without requiring inconvenient steps or measures to be taken. If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

Biometrics is a form of password-free authentication that, instead of relying on typing out a memorized word or phrase, uses unique personal characteristics to confirm identities, such as the face, the voice, or even a fingerprint such as a thumb. Biometrics have slowly integrated into financial transactions, and a new study indicates that this trend is set to grow explosively.

Biometric Banking

According to Juniper Research, financial transactions through biometric authentications are set to exceed one trillion dollars by 2027. When it comes to remote payments, especially through mobile devices, PIN numbers and passwords are still dominant; with biometrics slowly integrating into mobile devices like smartphones and tablets, the current transaction amount is estimated to be approximately $332 billion.

This means that if the Juniper Research estimates are correct, remote payments through the use of biometrics are expected to rise by about 365% within the next five years.

Growth By Necessity

There are several reasons that this growth in biometrics is occurring. The chief driver is convenience. Biometrics is fast and easy. It doesn’t require a person to memorize a long string of random alphanumeric characters just to have a “strong” password. That ease is being capitalized on by large technology companies, such as Apple, that incorporate biometrics into financial software such as Apple Pay, making it an easily accessible, easy-to-use payment alternative for Apple users.

The other factor is government intervention. The European Union, for example, has a “Second Payment Services Directive” (PSD2) that is putting a renewed emphasis on cybersecurity. Strong Customer Authentication, or SCA, is a part of this directive, and that also means multi-factor authentication that doesn’t rely solely on a password for access. Biometrics is an important component in meeting these standards.

Another factor contributing to the wider implementation of biometrics is FIDO, or the Fast Identity Online alliance. Formed in 2013, this alliance of industry experts is committed to reducing the reliance on passwords and promoting a standardized protocol.

FIDO recently got a shot in the arm with an official announcement from major tech companies Microsoft, Apple, and Google, all announcing broad support for FIDO standards, with an intention to make them more widespread in technology. That initiative is going into deployment as quickly as next year and will continue to become more widespread.

Biometrics is a fast, secure, and more convenient way to authenticate without using passwords. If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

Personal finances are more accessible than they’ve ever been. The average consumer has now gone from being limited to using a bank branch when it’s open, to using automated teller machines 24/7 at specific locations, or accessing bank accounts at home on a computer or on the go with a mobile device such as a phone or tablet. However, ensuring that a customer’s money is safe has required more stringent security measures. This is where things can get complicated unless better, more convenient measures like modern biometric authentication are implemented.

Protecting Money

Accessing bank accounts in the past required visiting a bank branch and filling out forms while presenting bank books and other documents that verified identity. However, in the digital world, the mainstay for accessing personal finances has been the password. According to PYMNTS.com, 64% of people who access their financial data do so using a traditional username/password combination at least once a month.

Unfortunately, passwords can be an extremely weak form of security, depending on the individual choice. Through ignorance or neglect, some people choose passwords that are easy to guess, leaving their financial data vulnerable to unauthorized access. The solution is to use a “strong password” and username, which typically consists of long strings of random alphanumeric combinations to make guessing impossible. Unfortunately, this also makes the passwords extremely difficult to remember, making this method incredibly inconvenient.

Making Things Easier

This is where FIDO biometric authentication methods can have a huge impact. According to PYMNTS.com, over 60% of consumers surveyed are willing to try a system other than traditional username/password mechanics. This jumps to over 73% for consumers who access online financial services across multiple mobile devices.

Biometric authentication, rather than memorization of a username and password, uses the individual’s unique characteristics that can’t be exploited through guessing. Those characteristics may be the face, fingerprints, voice identification, or other factors. However, the key feature is that a face can’t be “guessed.” Just because a thief may know what a person looks like, that knowledge doesn’t help them access a system that requires a person’s face. When combined with other mechanisms, such as USB encrypted keys, or multiple forms of biometric confirmation, this can form a multifactor authentication system that is faster than inputting a username and password and more convenient since it doesn’t require memorization.

As more and more people move to a model of accessing data across multiple platforms and devices, better, faster, stronger security systems are needed.

If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

Certain types of software are ubiquitous. Microsoft Windows is found on millions of computers worldwide, while Google Chrome is the preferred default search engine for many people. The Java programming language is another such digital tool that has been widely used in everything from mobile software to web-based applications and even middleware that many businesses rely on. Unfortunately, this very ubiquity with software can work against itself in some cases, and cyber security is one of them. A major vulnerability has been discovered in the Log4J logging utility, a favorite of Java developers.

What Is Log4J?

The Log4J utility is one of the most popular developer tools in the Java software world. It is a Java-based, open-source logging utility. It can be programmed to track and report “events,” such as errors so that developers can monitor and eventually address flaws in software. Because of its ease and usefulness, the Log4J utility has been embedded in a huge range of different software, especially for the hundreds of millions of mobile devices in which this embedded software is present.

Unfortunately, a vulnerability has been found in the Log4J utility and because Log4J is so ubiquitous, this has created a severe cybersecurity threat.

Significant Loss Of Control In Cyber Security

The Log4Shell vulnerability has been given a common vulnerability score of 10, which is the most severe designation in terms of threat. Specific examples of exploitation with this cyber security vulnerability include DDOS attacks, remote seizure, control and execution of applications, auctioning access to corporate networks to the highest criminal bidder, and even partitioning of digital resources in a network for the mining of cryptocurrency.

Why It Happens

The Log4Shell vulnerability is the latest example of the struggle between cost and safety. The most cost-efficient approach in software is to use existing resources, sometimes even older ones, rather than internally creating a unique, bespoke solution. However, while this lowers costs, older applications and processes also tend to be more vulnerable compared to the newest application or tool, which, while more expensive, is also far more resistant. Every company wrestles with how much is too much to spend on security.

Now companies are scrambling to identify, address and patch this vulnerability, but it showcases the ongoing need to maintain modernized security measures. New software, new upgrades, and new user control systems such as passwordless identity and authentication reduce the chance of a critical vulnerability being found and exploited because modern passkeys offer phishing resistant, user-centric security.

If you’re interested in using the FIDO protocol and moving to a passwordless identity and authentication system, read here to learn more.

In recent years there has been a renewed interest in augmenting digital security. The use of biometrics and other forms of passwordless authentication are making great strides in helping end-users maintain a safer, more secure environment.

However, it’s not just the users that are crucial to maintaining a secure digital environment. Experts and other qualified digital security staff are essential, and this is becoming a serious problem in the United States.

Demand Outstrips Supply

The United States is currently estimated to have one million Americans working in the digital security field. However, there are also approximately 600,000 vacancies that require urgent filling, and over 500,000 of those are in the private sector alone. According to Forbes, 45% of companies with digital security teams report shortages that need qualified staff.

This can be viewed as a “seller’s market” for IT staff with security experience. The job demand is real, and companies must put in the work to appeal to security specialists and sway their decision to take a job and stay there. However, with so many shortages, there is already a domino effect at play.

Personnel Shortage Means Incomplete Work

Biometrics can only go so far. While a passwordless authentication system can make huge strides in protecting individual users, it should never be relied on as the sole security mechanism. Human expertise is still required, especially when integrating new security technologies into an existing framework.

This is where the shortage in qualified security personnel is at its most acute. Unless qualified personnel are present to work on systemic authentication issues or enterprise security problems within an organization, holistic solutions will not be delivered. In the realm of digital security, this means that system-wide vulnerabilities may go unaddressed due to a lack of skilled workers and their expertise, which together increase enterprise security risk. A lack of proper security staffing can result in a struggle to maintain compliance, with more vulnerabilities and systemic authentication failures that can slip past undetected.

People Matter to Security And Biometrics

It’s not just enough to want to maintain a secure business; there must be an investment in the people. Larger companies with the proper budgets must be willing to invest in a CISO but, more importantly, must be ready to support the needs of that CISO. If security isn’t working because the security staff isn’t getting the people and tools they need to do their work, it’s no surprise that their efforts fall short. Implementing effective and convenient security measures such as biometrics helps, but that’s only part of a coordinated effort.

If you’re interested in using the FIDO protocol and moving to a passwordless identity and authentication system, read here to learn more.