This year, as many of us who would more usually be office-based are working from home, password management is more important than ever. But many of us are still not very good at setting high quality, secure passwords.
The problem is simply down to human nature – we’re just not attuned to remembering complex strings of apparently random numbers, letters, and other characters, and while we might be able to remember a couple of these, our limit is low. Yet according to password manager NordPass, the average person has 70-80 passwords.
The UK’s National Cyber Security Centre has researched passwords already known to hackers and found the most frequently used password was “123456”. Other common passwords include “123456789”, “qwerty”, common first names, Premier League football team names, musicians and well known fictional characters. All are eminently guessable, but none, perhaps as guessable as another common password on the list – “password.”
Meanwhile, DataProt suggests that 51% of people use the same passwords for work and for personal accounts, and other studies put that number even higher. Clearly, this creates vulnerability for businesses, and one that bad actors are only too happy to exploit.
The growing popularity of MFA
Any organisation that’s serious about data security should be considering adding multifactor authentication (MFA) to its password management technology. MFA is widely referred to as a ‘second line of defence’ in password management. Instead of relying on just one alpha-numeric string of letters, a second ‘factor’ is added. Anyone who does online banking on their laptop, for example, will be familiar with MFA as they log in using the mix of a password (something you know), and a code sent to, most usually, a mobile phone (something you have).
Popular though this kind of MFA is, it still relies on a password and so potentially falls foul of the wider issues with passwords, and there is no escaping that it is rather cumbersome and far from foolproof. If the user has left their token or mobile somewhere, they can’t log in. If there are network problems, they won’t receive the code they need by SMS.
A far better solution for the end-user is biometric passwordless authentication. This is also the preferable choice for businesses, delivering significant productivity and cost-saving benefits and greater security and reliability.
Passwordless authentication on Microsoft Azure AD
Let’s look at how passwordless authentication works very specifically, with Microsoft’s enterprise cloud-based identity and access management solution, Azure Active Directory (Azure AD).
Azure AD supports three different passwordless authentication methods:
Windows Hello for business
This method of passwordless authentication from Microsoft involves eight steps of verification between the Cloud AP provider and Azure to ensure that login is valid and verified. The end-user isn’t aware of these steps as the verification process is almost instant, so it is user-friendly.
Windows Hello is ideal for workers who have their own Windows based computers because it is hardwired to a specific instance of Windows. However, organisations with a hot-desking policy can’t take advantage, as Windows Hello is based on tying one user to one computer.
Microsoft Authenticator App
The Microsoft Authenticator App allows users to turn their smartphone into a strong passwordless authenticator and it is this that provides access to a computer. It is not unlike more standard two-factor authentication methods in that it requires a username and then a second factor (fingerprint, FaceID or PIN), but it has the added security feature that the individual user needs to be identified so that Azure AD can find and verify the instance of Microsoft Authenticator App being used.
Microsoft Authenticator App can be a secure passwordless authentication system only with a strong security protocol on the smartphone, because without access to the biometric factor (fingerprint, FaceID or PIN), access to Azure AD can’t be secured.
FIDO2 Security Keys
FIDO2 (Fast IDentity Online) is a technical standard that provides secure login via a device that attaches to a computer using a range of interface types, including physical (USB A or USB C, for example), or wireless (such as NFC or Bluetooth).
Crucially, FIDO2 users don’t need to remember any passwords – they are stored on the device. The device itself is secure and un-phishable, and a biometric such as a fingerprint, or a PIN, is required before the device can be used for login. Administrators can manage users at the top level – remotely adding and removing individuals, or changing employment status or security access levels. This makes FIDO2 a very good choice for the current prevalence of remote working.
Analyst Gartner has predicted that by 2022 passwordless login will be adopted by 60% of large and global enterprises and 90% of midsize enterprises in more than 50% of use cases.
If your organisation is considering implementing FIDO to increase security, SecureDrives has its own Microsoft Verified FIDO2 security key and authentication device called ThinC-Auth. To learn more about it, or find out more about going passwordless on Azure AD, speak to us today.