Password Reset: Exploring Bold Alternatives to Access Business Assets

Since its inception, the Internet has brokered trillions of dollars in information, connections, and trade. As COVID-19 pushed the world into lockdown, businesses scrambled a response by transitioning to digital-first operations and prioritizing productivity. The rapid, imposed adoption of remote working left the field open for malicious actors, resulting in a calamitous rise in cybercrime, ransomware attacks, and data theft.

Of the four pillars of The Art of Smart, innovation holds the key to addressing cyber vulnerability, which has quickly emerged as one of the largest threats to businesses in 2021. The World Economic Forum (WEF) Global Risks Report 2020 forecasts that cybercrime will cost the world US$10.5 trillion annually by 2025. Follow the trail that led to a security breach, and more often than not, poor password hygiene shows up as the cause. The WEF estimates that 80 percent of data hacks happened because of weak or compromised credentials.

As the global digital transformation of private and public services continues en masse, businesses need accurate, secure authentication for their employees. The continued reliance on passwords as the primary source of identity and access management (IAM) creates fragility in the system. Larry Ponemon, the Chairman and Founder of the Ponemon Institute, a leading cybersecurity research organization, says: “A large percentage of attacks could be mitigated completely by alternative measures such as biometrics and educating employees about these new technologies.”

 Technology offers one part of the solution. The other is design thinking – making security integral to the employee experience.

IAM is rapidly evolving from something we know, such as passwords and PINs, to something we have, such as system key fobs. Also evolving are security methods using biometrics such as thumbprints, and facial and voice recognition. With each evolution, the solution providers reduce friction, i.e., the number of steps employees need to take, when managing access. 

Empowering employees with frictionless authentication

Such a tacked-on approach increases friction for employees trying to access company resources. Complexity in IAM only increases blindspots and vulnerabilities and causes employees to sidestep good security practices.

A study compiled by identity management and authentication expert Steve Brasen, Managing Research Director at Enterprise Management Associates (EMA), a US-based IT consulting firm, shows that policy violations and breach events were reduced when organizations used lower-friction IAM solutions.

He observes: “Though it sounds counterintuitive, the reasoning goes back to why passwords fail: when employees can access their work with fewer steps, they are more likely to champion cybersecurity and follow policy.”

Among the various methods of authentication, passwords and PINs continue to be the most utilized. Over the last year, as businesses combat increasingly complex attacks, their use as a single source for authentication has been in sharp decline.

For example, since Google introduced security keys internally, the company claims there haven’t been any successful phishing attacks against their employees. Aetna, an American insurer, saw a 98.4 percent decrease in account-takeover frauds by moving to biometric-based authentication. EMA reports that biometrics and hardware tokens are seen as the most secure methods. They also provided the biggest boost to productivity.

Intelligent authentication is contextual

In moving away from a password-based approach, businesses must focus on contextual and continuous identity management. “There is only one me, but I can be in different places,” says Adrian Asher, Chief Information Security Officer of Checkout.com, a global payment platform.

Adaptive measures can layer security based on the level of risk posed by the user, where they are, the software running in the background, and the data they are trying to access. For example, an employee marking their time off does not require the same security level as someone trying to access company financials or user data. Likewise, contextual systems understand that the accounts team accessing company financials is less risky than someone in customer service or HR. Similarly, if the Chief Financial Officer is accessing data from their office computer, several layers of security are unnecessary. However, the alarm may be raised if they look to access the sensitive data from a public WiFi network at the local coffee shop.

 “Companies can begin by understanding what their most important assets are and choose verification methods accordingly,” Brasen suggests. Through contextual authentication, organizations can prioritize data security of assets at a granular level rather than the one-size-fits-all approach the industry has relied on so far.

“Most authentication is geared around session establishment,” Asher adds. “It needs to be ongoing.” Here, innovators are experimenting with behavioral analytics for authentication by continually assessing user patterns in the background. These include how a user holds their device, how quickly they typically type, the finger pressure while swiping, scrolling patterns and even gait.

Behavioral IAM has a distinct advantage over the currently available methods. Since they are passive and frictionless, they do not impede the users’ time or require technical know-how. Users may never have to see a login page, as digital trust is established behind the scenes. In the event of subtle anomalies and deviations, the system can invoke an additional layer, allowing for unintrusive, always-on verification. The opportunity for such behavioral authentication is only just kicking off. Among recent examples is the Italian wearables startup Deed. Their wristband provides contactless payment using continuous biometric verification through gesture recognition.

Studying contextual awareness in IAM, Brasen found that organizations using behavioral biometric solutions reported far fewer breach events and incidents of unauthorized users accessing business applications decreased by 74 percent.

However, at this time, biometrics and behavioral authentication are far from widespread in application. Their adoption has been hampered by upfront cost implications and privacy concerns. In the event of a data breach, a password is easily changed. On the other hand, stolen authentication such as a fingerprint or eye scan is much harder to fix. As businesses consider the move away from passwords these concerns will need addressing. Technology alone is never going to solve ever-evolving threats in a digital-first world. Multi-factor authentication with passphrases and soft tokens are going to be the reality for a while. For many businesses that would be a significant improvement over the current situation.

As businesses shift into a new era of work, however, a fundamental redesign of cybersecurity is needed. Such a culture shift must emphasize technology that works intuitively with people. By innovating solutions around sound design principles, continuous and contextual passwordless authentication is the first step to making the Internet safer.

Source: Passwordless Authentication: Bridging the Gap Between High-Security and Low-Friction Identity Management, An Enterprise Management Associates Research Report