Passwordless: Elimination of passwords
Passwords are no longer the most secure and effective method to protect access to our systems. Passwordless is today the more effective way to secure identities and accesses:
Passwords are expensive and vulnerable to breaches
- Password reuse across multiple accounts:
63% of workers admit to reuse passwords
- Passwords are the weak link:
80% of breaches leveraged passwords
- Data breaches are expensive:
$3.86 million, the average cost of a data breach
- Passwords generate tons of support calls:
30-50% of help desk callas are related to passwords resets
Attacks and security breaches derived from the misuse of passwords
- Brute force
- Password spraying
Password are becoming a relic of the past. The use of passwords leaves us increasingly vulnerable as we become more predictable in generating them. Trying to combat this with requirements for stronger complexity and frequent updates makes it harder to be productive, drives up already-high costs in password maintenance and support, and still isn’t enough to keep up with current cybersecurity threats. (Microsoft).
The solution: Move on to Passwordless
What is Passwordless Authentication
Passwordless is a disruptive authentication method in which a user can log in to a computer system, service, or application without entering (and having to remember) a password or any other knowledge-based secret.
- Something you have [Windows 10 Device, Phone, Security Key] + Something you are [Biometric] or know [PIN]
- Authentication based on Public/Private Keys pair
- Private Key are securely stored on the Device [PCs, Mobile Application, FIDO2 Key]
- Private keys are tied to a device and are never shared
- Requires the use of local gesture [PIN, Biometrics] to unlock the private key
Windows Hello for Business
Windows Hello gives users a personal, secured experience where the device is authenticated based on their presence. Users can log in with a look or a touch, with no need for a password. Windows Hello leverages biometric authentication through fingerprints or facial recognition and is more secure, more personal, and more convenient.
User friendly and privacy protecting
- Passwordless: uses biometric authentication or a PIN
- Single Sign-on with Windows apps
- Biometrics data never leave the device
- Strong two-factor authentication
- Asymmetric key pair authentication model
- Can be deployed in cloud, hybrid, or on-premises environments
- Key or certificate-based options
FIDO2 Secure Keys
FIDO2-compliant security keys are cryptographic credentials in a variety of form factors, including USB keys or NFC-enabled smartcards. They can be protected with a second factor such as a fingerprint (integrated into the security key) or a device PIN to be entered at sign in.
- Authentication based on Hardware [Portable]
- Security devices that are Microsoft compatible
- Sign in using FIDO2 [biometrics, PIN, and NFC]
- Recommended for shared PCs scenarios or when a mobile device is not a viable option [Examples: help desk personnel, public kiosk, hospital team, bank teller]
- Recommended for Privileged and Critical Identities: Azure AD Global Administrator, Security Administrators, CEO, CISO, others
- Cross platform if using as Smart Card [on-premises services required]
Different options according to your organization’ specific scenario
Microsoft Authenticator is a free mobile app on iOS and Android that can replace or augment passwords with push notification approvals, one-time passcodes, and additional verification of a biometric gesture on the device or the device PIN.
- Authentication based on Software
- Standards based MFA
- Supports TOTP, Push Approvals, Biometrics + Number Match
- Sign in using a mobile device with fingerprint scan, facial or iris recognition, or PIN
- Applicable for accessing work or personal applications on the web from any device.
- Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm
Temporary Access Pass – TAP
TAP is not a general authentication feature! TAP is a mechanism meant to be coupled with corporate processes that meet risk tolerances for the organization, in exceptional cases such as account recovery and remote onboarding.
- Scoped to users and groups
- Set a duration and start time
- One-time use or multi-use
- Satisfy MFA requirement
Extended identity capabilities with E-Visor Teams App
E-Visor Teams App complements the passwordless strategy by presenting to end users, managers, and IT department the MFA configuration status, sign-in information filtered by risk events, failed logins, location, devices, identity and much more, as well as self-protect actions.
Simplified end user Multi-factor Authentication and Self-Service Password Request (SSPR) management
- Reduce complexity to access Microsoft 365 information spread along with multiple sites, reducing costs
- Reduce user education as Microsoft portal adds/removes information/capabilities and changes URLs
- Simplified user experience providing multiple technologies/workloads view with the same look and feel
- Reduce time and create awareness
- Mitigate phishing attacks
- Reduce troubleshooting and support time
- Reduce organization cost
- Empower end users to strengthen their security posture
The four steps to effectively implement passwordless
Synergy Advisors is ready to support your organization in its journey to effectively establish a passwordless strategy, and make a smooth transition, while boosting productivity and cybersecurity in your organization.
Download the e-book of the passwordless strategy here.
Contact us below and receive a free demo of secure authentication solutions and a free consulting session about how to start establishing a passwordless strategy in your organization.