What is Real Passwordless MFA and Why is it Essential for Enterprise Security?
In light of the sharp rise in cyber attacks worldwide – from ransomware to phishing scams to man-in-the-middle attacks – we’ve been told by the likes of Microsoft, countless cybersecurity experts, and even the President of the United States, that it’s time to take cybersecurity seriously in every enterprise … that it’s time that we implement Zero Trust Architecture and Multi-Factor Authentication (MFA) to secure our company valuables – and protect our identities.
Yet, companies are still struggling with the adoption, implementation, and effective use of MFA.
So, today I want to talk about Real Passwordless MFA™. What makes it different from traditional MFA and why is it not only more secure, but EASIER?
About the Password
This year marks the 60th Anniversary of the Password – that pesky string of characters that continues, at least for the majority, to unlock our most precious digital assets and personal information. Copious data, recent news, and experience point to the dangers inherent in standard credential-based login. The password, we know, is the #1 threat behind security breaches (81% of them are password-based).
And so, THE PASSWORD MUST GO, AND THAT INCLUDES FOR MFA! In other words, the password should not be one of the factors of authentication.
Let’s look at some of the security risks that come with traditional MFA *
- Phishing – Phishing scams are one of the most common forms of hacking where the attacker impersonates a company or individual in an email, gets you to give up information or click on a link, and compromises an account. In this case, if you have opted for an email-based one-time passcode (OTP), it’s no different from a username and password.
- OTPs and SIM Card Hijacking – One-Time Passcodes are just another knowledge factor or a kind of password that can get into the wrong hands. Attackers use social engineering to identify the user and their carrier. Then, to intercept, they request a new SIM card, through which they can receive SMS-based OTPs with the code to access and take over the account. Take the recent attack on Twitter CEO. They eventually were able to hijack his SIM and take over his account.
- Man-in-the-middle attacks – With an insecure network router, hackers can intercept communications between networks as a user attempts login, and then receive the OTP intended for that user, resulting in unwanted access to the target site.
- Fake Push Notifications – If hackers get their hands on user credentials, they can send fake push notifications. Users very often grant access without much thought, often resulting in account takeover.
- *Just in case you’re thinking it’s not easy for attackers to bypass traditional MFA, or that only the most sophisticated hackers are gaining unwanted access, simply go to YouTube and enter ByPassMFA.
But what about Usability – Ease of Use, Adaptability, and Customer Satisfaction?
All these factors for usability are equally as important when selecting a solution. If it’s not simple to deploy and implement across the organization, there’s lost time and productivity. Most MFA solutions, especially those requiring passwords, add extra steps to the login process, and typically confuse, frustrate, and/or annoy the user. If it’s not adaptable to your current systems and applications, then it’s not going to work without a lot of pain. If the customer isn’t satisfied with the product, it’s not likely to be widely adopted across your user community. The bottom line here is that, despite all the noise about security these days, security is not the primary selling point. It Has to Be Simple.
Security Keys are another possible solution. They take away the threat of passwords and tie the MFA to the user who is requesting access, but there are both usability and security issues that come up with Keys.
Years ago, for example, RSA had to reissue security keys to all their SecureID customers due to a corporate breach and exposure of private key information. Think of the loss of productivity for those customers. Or, what if one simply lost the key? This would require cutting off access, ordering a new key, and going through the entire setup process again. Meanwhile, employees couldn’t access the resources they needed to work. Not only is it costly due to lost time, but the cost of tech support and key replacement is significant.
What’s more, keys are often left in their devices, which opens up another set of potential issues.
Why SSO should be part of your Cybersecurity toolkit
One of the myths we’ve busted in the past is that SSO is not as secure as having a separate login for your accounts. Especially in the enterprise, this is not true. We’ve established that usernames and passwords are the primary targets for hackers. Every time a user logs in to a new application, the credentials are vulnerable to attack (coupled with the known fact that most of us are reusing passwords). Single Sign-On (SSO) means fewer attack surfaces because users only need to log in once a day with one set of factors for authentication. With TraitWare, you never need a password, so that threat factor is eliminated.
If you agree with all the above, you’ve likely done some shopping for Passwordless Multi-Factor Authentication solutions already. After all, the evidence and recent news are real. Even the White House has issued an Executive order, specifying the use of MFA and Zero Trust.
But be careful of the often-confusing language you’re hearing from so-called passwordless providers.
Many biometrics-based vendors are claiming to provide “passwordless” MFA solutions, while they’re merely layering a passwordless option on top of a username-and-password-based system. Many of these solutions allow access to a workstation, app, or network by using a fingerprint, facial or eye scan, or voice recognition, but passwords likely only appear to be eliminated. In most cases, the user’s password still exists in a central repository and is required for authentication after the biometric scan, which means the account is still vulnerable to hackers. In other words, most “passwordless” solutions don’t actually improve security, they’re simply offering a slightly better user experience.
The bottom line is, if you are required to have a username and password AT ANY STAGE of the experience, you are NOT looking at a truly passwordless solution. And, if there is still a username and password behind your login, you still leave your accounts vulnerable to attack. If a bad actor gets ahold of your credentials, then they will likely be able to access everything. Your applications, your bank info … anything that has that password attached to it. Password reuse, as we all know, is the common practice, with roughly 70 percent of users using the same passwords (or easily guessed variations of them) across personal and business accounts.
Real Passwordless MFA is here now.
You may be thinking, with all that, it’s too difficult, too costly, and too time-consuming to move to a truly passwordless MFA solution. Is there an affordable, cost-effective, truly secure, and simple solution out there?
TraitWare® provides Real Passwordless MFA plus Single Sign-On (SSO) for True Zero Trust Access™. Simple Secure Login in Three Touches. TraitWare does what most MFA solutions don’t: It enables MFA right from account creation. MFA is built-in to the technology and verifies user identity without a password, leveraging the biometric reader of a mobile device the user already carries (no expensive hardware or Keys to purchase), as well as opaque behavioral biometrics in real-time. Ultimately, TraitWare ties the USER to the login, providing higher levels of authentication assurance through Real Passwordless MFA™ built with True Zero Trust Architecture.
Setup usually takes less than a day and onboarding is friction-free. Unlike most MFA solutions, TraitWare has made it super simple for administrators to add, upgrade, modify access for, or eliminate a user in a few clicks. And because the MFA is inherent, the user can seamlessly enroll, authenticate, and log in with just three touches.
All of this is particularly important for the enterprise during our “New Normal,” as employees work from anywhere. Applications and other valuable company resources are increasingly accessed via the cloud, and with personal devices (including phones, tablets, laptops, etc.) and must be secured remotely.
OH, and with TraitWare, there is NEVER A PASSWORD REQUIRED. EVER.
To read more from us or keep up to date on the latest news, please peruse our blog pages or subscribe to our mailing list. We’d love to keep in touch.
We promise it’ll be worth your while.
– Team TraitWare