Picture this: you’re staring at your screen, trying to login to your account, but you can’t recall the password. Was it the one with your birthdate? Or the one with some random combination of letters and numbers you scribbled on a note somewhere?
Well, the struggles of password-based authentication go way deeper than the mere inconvenience of remembering a few letters. The consequence of depending on passwords can be more dangerous. Think of identity theft or, worse, financial loss! As per LastPass’s report, 81% of breaches are due to weak passwords.
As the threat of cybercrime increases, so is the demand for password-less authentication. In fact, the password-less authentication market value is expected to exceed 53 billion U.S. dollars by 2030.
To find out more about the rising demand for password-less authentication, Signeasy’s Senior Product Manager, Chitra Ghosh, sat down with the Director of Cybersecurity at EY, Soumya Tripathi. He has been working in cybersecurity for the past 16 years, gaining experience in various aspects of the domain.
His journey in cybersecurity began with classic vulnerability assessments and penetration testing exercises. Over the years Soumya has gained expertise in security audits, cybersecurity products (Firewalls, IDS/IPS, SIEM tools) implementation, and strategic planning.
Soumya Tripathi and Chitra Ghosh engaged in a deep conversation and uncovered some great insights on password-less secure authentication.
Here are the juicy insights we got from their conversation 👇
Q: What are some of the risks organizations face with password-based authentication?
Soumya: Many cyberattacks happening nowadays are more because of privileged credentials. Once you get your hands on privileged credentials, you can access any sensitive data virtually.
In most of our vulnerability assessments, we’ve seen that with traditional authentication mechanisms, it’s easy for attackers to get passwords. We do see a lot of cases where credentials are shared among random people, leading to fraud and financial risks.
And we’ve also seen people using weak passwords that are easy to crack. Passwords such as a combination of social security numbers and birthdates are often found in data dumps.
Often, developers store and reuse passwords insecurely during the development process. Even organizations sometimes fail to configure their systems properly to enforce strong password policies.
Q: What is password-less authentication, and how is it different from password-based authentication?
Soumya: Password-less authentication verifies a user’s identity without using a traditional password. It can use various methods like biometrics, hardware tokens, facial recognition, and one-time password sent via SMS/email.
While OTPs are still passwords, they aren’t constant and keep changing with each login attempt. This makes them more secure than static passwords.
Soumya highlights several benefits of password-less authentication:
- It’s more convenient for the users. They don’t have to remember multiple complex passwords.
- It’s less prone to cyber-attacks because you’re not sharing credentials that can be hacked.
- Password-less authentication prevents users from reusing the same password across multiple accounts or making minor changes.
Many applications, especially in the banking and financial services sector, have already adopted password-less authentication like two-factor authentication (2FA) and biometrics. Modern smartphones also have facial recognition for device and app unlocking.
“While password-less authentications are becoming standard for personal devices, implementing them in an organizational setting needs careful planning and the right kind of Identity and Access Management (IAM) Strategy.”
Q: Which industries are adopting password-less authentication faster?
Soumya: The banking and financial industry is greatly moving towards password-less login methods. The obvious reason is they deal with sensitive financial information and transitions.
A lot of tech companies are also pivoting toward passwordless mechanisms. Other sectors where passwordless authentication could be beneficial are shop floors in production lines or warehouses.
For example, Amazon’s warehouses, where employees are involved in packing and sorting. Implementing passwordless authentication in such places would be convenient and secure. So they don’t have to face the hassle of repeatedly typing in passwords to access a system or perform a task.
Q: What are some emerging trends and considerations in the identity and access management space?
Soumya: Password-less authentication is the future, but there are a few things to consider:
- Many password-less systems still store a password during the initial phase of registration. However, the goal should be to eliminate stored passwords completely.
- Legacy applications may still store passwords locally. So, detailed risk assessments are needed when implementing a password-less IAM strategy.
- A comprehensive IAM strategy covering the right policies, processes, and regulations is crucial, not just the implementation of technology.
- IAM systems must be resilient as the business completely depends on them for access.
- Biometric data needs to be protected as per data privacy regulations like GDPR.
Q: What’s your thought on document trust and how closely it is tied to regulations and compliance?
Soumya: With emerging technologies, we are shifting from physical signatures to digital signatures. With this, it’s becoming important to maintain the integrity and validity of digitally signed documents.
Digitally signed documents should be admissible in a court of law to ensure the document’s integrity. For example, the 21 CFR (Code of Federal Regulation) guides how electronic and digital signatures can be used to ensure document validity.
Looking to the future, it’s clear that reviewing physically signed documents to determine their integrity can be time-consuming. Within a few years, governance bodies may mandate that all documents must be digitally signed for acceptance.
Q: Will Passwords become obsolete in the future?
Soumya: Absolutely! Passwords should and will become a thing of the past. Currently, many Android devices and even Google allow passkeys for login. But even though users can authenticate without passwords, Google still stores user credentials in their system.
So, the industry should work towards a strategy that removes the need for password storage. The future is password-less authentication everywhere, without being stored anywhere. If needed, passwords will be generated on the fly, used, and discarded immediately.
Key Takeaways
This Q&A session with cybersecurity expert Soumya Tripathi has highlighted the growing importance of secure password management and password-less authentication. Let’s sum up this post with some key takeaways that came up during the conversation.
- Password-based authentication poses significant risks to organizations. These risks may include cyberattacks targeting privileged credentials, weak passwords, and insecure password storage practices.
- Password-less authentication methods such as OTP, hardware tokens, facial recognition, and biometrics offer a secure and covenant alternative.
- Organizations should implement a secure password management solution and Identity and Access Management (IAM) strategy to store and manage passwords safely.
- Industries like banking, tech, and financial organizations are leading the adoption of password-less authentication.
- Digitally signed documents and document systems are becoming more crucial for maintaining document validity, integrity, and reliability.
-min.png)
