Password breaches as a result of Covid-19 cyber attacks continue to strengthen the case for getting rid of passwords and adopting passwordless authentication across all types of transactions and settings.
Not that the case has ever been weak to begin with. The World Economic Forum for example, projected that password-related attacks would make up 80% of cybercrime committed this year—or $2.3 million of the $2.9 million overall cost to the global economy every minute. Not only that, password resets alone could take a $1 million–plus toll on large companies in annual expenses just for IT staffing alone. Passwords, in particular, are the most common points of attack in major security breaches, as substantiated by Shape Security’s 2018 Credential Spill Report: 130 million malicious login attempts targeting passwords occur each day.
Covid-19 Cyber attacks
Rightly so, the WEF has issued a warning about cybercriminals stepping up their game in the face of the coronavirus outbreak, pointing out how our virtually utter dependence on the internet, digital infrastructures, and our remote work setup amid the outbreak create a perfect opportunity for increased online criminal activity, with criminals being able to manipulate COVID-19-related information to launch attacks.
This threat compounds the current threat posed by the pandemic on other areas of business operations themselves: supply chains, safety in physical locations, continuity of workflow and business processes, the health and performance of employees most of whom are not in the best of shape to juggle work stress and personal worries. All of these spell cost and potential revenue loss. Or something far more dire: bankruptcy.
Going Passwordless
Faced with this scenario, going passwordless becomes an even more urgent contingency move to ensure data protection through far more advanced technologies to verify user identity for login and other forms of authentication.
By adopting technologies such as biometrics, behavior analytics, and device attributes, easy-to-breach outmoded methods like passwords, usernames, and SMS—with their inherent features of reduced security and compromised credential risks—can be retired for good.
Biometrics, for instance, offers a number of choices: fingerprints, palm iris/retina scan, facial recognition, just to name those that are already being used.
Options for going passwordless
2-factor authentication (2FA)
This form of identity confirmation makes use of a pair of elements that fall under either of these four categories:
- (knowledge) Something you knows: PIN, username and password
- (possession) Something you have: token, USB key, magic link, or card
- (inherence) Something you are : biometrics—e.g., fingerprint, voice, palm veins, complex iris/retina patterns, etc.
- Someplace you are (location): actual physical location determined through GPS tracking
Multifactor authentication (MFA)
This method can go as far as 4-factor authentication. Essentially, this is identity verification using either three or all the elements mentioned above.
Admittedly, username and password are still used in both 2FA and MFA, but given the current circumstances, they are best rejected altogether.
Time
Time is often considered as the fifth category. It prevents attacks by verifying employee IDs against work schedules or against how long it takes to move from one location to another, both of which show up as places of transaction/activity. This means that the receptionist at the ground-floor entrance be at the penthouse suite on the east wing of a thirty-story building in under three minutes.
How to successfully deploy passwordless authentication
To deploy passwordless authentication across an entire company, businesses have to be able to:
(1) completely remove passwords and credential-based solutions and
(2) integrate the passwordless strategy with all interfaces and systems.
This could enable authentication that supports such protocols as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
There are five key areas where companies could start implementing passwordless technology:
- VPN and remote access could have static credentials removed,
- Use of contact and information technology by getting rid of password resets and account lockouts
- Remote desktop and virtual desktop infrastructure (VDI)
- Customer identity and access management
- Critical applications.
By going passwordless across the board, companies boost their data security through minimized exposure to data breaches. And because password maintenance is costly (claiming a $5.2 million loss from delays caused by resets. Add on the $1 million-plus expense that goes to keeping an IT staff dedicated to password resets). Companies effectively reduce business costs caused by password management and data breaches.
Make your move now.
As has been proven time and again, now—not later—is always the best time to strengthen your security. Explore TraitWare’s enterprise solutions.