The topic of authentication has been a hot topic in IT security for years, as inadequate protection of business-critical accounts and applications poses considerable risks. The emergence of "passwordless authentication" has given the topic new impetus. But what does this mean in concrete terms, and how can companies position themselves to ensure strong authentication without a password?
A contribution by Jan Quack and Rolf Steinbrück, Senior Solution Engineers at Yubico
Fundamentally, it's important to note that password authentication is the least secure method of authentication. Passwords are easily obtained through phishing or stolen from compromised password databases; they're often easy to guess and frequently reused. As a result, 81% of all attacks on IT systems are carried out using stolen or guessed credentials. Passwords therefore pose a security risk, and on top of that, they're expensive. The main cost driver here is password management. A password reset, with help desk involvement, costs approximately $70 per case, which can add up to $1,000,000 per year for large organizations.
Modern, secure, user-friendly
So it's time to explore the concept of passwordless authentication. This approach is based on protocols that use strong asymmetric (private public key) cryptography and thus, unlike passwords, do not require shared secrets. The key here is that the private key is securely stored in a cryptoprocessor of an authenticator, such as the YubiKey, and that this key is protected by a PIN or biometric feature.
The most modern version of this type of authentication is FIDO2. This open authentication standard, consisting of the WebAuthn and CTAP2 protocols, offers not only a cryptographic foundation but also built-in protection against device cloning, man-in-the-middle, and phishing attacks – all while remaining extremely user-friendly.
Providers of various IT solutions have long recognized the strengths of FIDO2, so they have integrated support for FIDO2 into their current products. However, not all systems support FIDO2 yet. Nevertheless, the YubiKey can help here, as it is a multi-protocol key that supports all industry-relevant authentication protocols and can thus provide passwordless authentication, for example, as a smart card, bridging the gap between traditional and modern forms of authentication.
But what steps can be taken to make your organization ready for “passwordless”?
BU: The measures for implementing passwordless authentication in the company
Can I handle this?
Before an organization begins setting up a project, it should ask itself: "Do I have enough internal resources to implement this, or do I need external support?" Of course, Yubico has highly trained partners who implement and manage such projects every day in large and small companies.
The foundation
Of course, a project like this also requires a discussion about the technology. Without the technical foundation—the identity access management solution, the privileged user management system, the directory service, or the managed service provider—a strong and secure authentication solution will not be possible. But before tearing down everything existing and building from scratch, it is first necessary to analyze what the company already has in place.
Are you already partially or fully connected to Azure Active Directory and therefore PWL ready? Do you currently "only" have a local Active Directory, but still want to start with a smart card deployment? Or do you need another solution like Okta, Entrust, Ping, or OneLogin? The YubiKey, which works with over 700 certified solutions, can be integrated into the chosen technical platform – flexibly and future-proof.
What do we actually want to do, how, with whom and where?
Once the goal of “passwordless authentication” has been set, some detailed questions need to be clarified:
- Which users are there and what are their risk profiles?
- Which devices do users work on?
- Where are the users and how do they get their YubiKey?
- When should passwordless authentication be used?
- Which subject areas are in scope?
- What is my communication strategy that explains the added value but also the changes?
- For example, how do I integrate an enrollment process into the HR department's processes when onboarding new employees, but also a revocation process when employees leave the company?
- Is – and this is really important – the support organization involved and is there training to prepare the help desk for the upcoming changes?
Even though authentication with a YubiKey is really very easy, there will be questions, especially at the beginning. To address this "extra," support must be involved early on.
Whether logistics, project management or technical expertise – Yubico and its partners support organizations with advice and assistance.
What is success?
The next step involves defining success criteria, which are then tested as part of a proof of concept. The PoC serves to test the overall strategy and assess its fundamental feasibility.
Let's go!
Launch one or more pilots and gradually roll out the solution to different user groups. It's important to plan early and communicate accordingly what changes are coming and how the new authentication process will work – from enrollment through the actual authentication step to revocation.
Now look closely…
Measuring and tracking – that's what's needed now. Record how many YubiKeys have been distributed and how many are actually enrolled or in use. How is the number of passwordless authentications changing compared to the "old" authentication method, and what's happening at the help desk? This data helps identify steps that can further improve the user experience.
Conclusion:
At Yubico, we firmly believe that the future belongs to passwordless authentication. The IT security benefits are undeniable, and the usability is significantly better than passwords. With the YubiKey, companies can rely on secure hardware built specifically for authentication.
Source: yubico.com
