For as long as we can remember a password has been required to protect personal information. Over the years requirements for these passwords changed, you had to have capital, funny characters, and even length requirements!
After a while that just wasn’t enough and we started adding MFA authentication apps and tokens to the mix… But in the end most people reuse the same password across many environments. And to be honest, having to create a password that’s 12 characters long, has capitals, special characters, cannot be one of the previous 12 passwords every 90 days kind of encourages that behavior.
What is this… Password-less working you speak of?
As it stands today there are several ways of working without a password. Simply put, you’re using something else (or a combination of factors) to authenticate. It could be a bio-metrical item (fingerprint or face recognition), a PIN code, or an authentication app.
Password-less is a new way of thinking that has evolved over the years. When it comes to practical applications, you should consider combining multiple factors to increase security.
Password-less phone sign-in
Using an app on your phone increases the account security by sending a code, phone call or push notification. I would highly recommend not using text messaging (SMS) or phone calls as an authentication factor, as there are many known events of these being intercepted. The most secure way here is to have an authentication app on the phone, and having the phone managed by your company.
Hello for Business
If you use Windows 10, and have a compatible webcam, Windows Hello for Business is a game-changer. This technology allows you to use facial recognition as a sign-in factor. Additionally you have the opportunity to add trusted signals to the mix (think the proximity of a smart phone) to create a seamless second factor in the sign-in process.
FIDO Security keys
FIDO isn’t your neighbors aggressive poodle, rather it stands for Fast IDentity Online. Microsoft announced support for FIDO2 security keys in Azure AD back in July 2019. FIDO security keys allow you to carry your digital identity with you And in 2020, this technology is going in to public preview under the name of Security keys. These keys will be available for purchase from different vendors, and generally require something like a fingerprint to unlock your digital identity.
So what does this mean for my security posture as an organization?
Passwords are weak. Passphrases are better. But both still suffer that they in most cases, they can be easily guessed by attackers. Studies show that if you have MFA enabled, attackers are extremely likely to move on to easier prey.
Going password-less makes it easier for your end-users to authenticate in a secure manner, causing a decrease in security risks. So be more secure, go password-less!