Forget Passwords

A guide to taking SMBs passwordless

By Brady Hicks

Today’s SMB (small to medium-sized business) faces way too many challenges. Whether it’s related to issues from the pandemic, supply chain shortages, economic downturn or poor decision-making, many companies have been left reeling in recent times. Factor in the ever-present threat of hackers and other malicious bad actors targeting one’s operations, and the threat of disaster only grows.

That’s right – ransomware, spyware and other sophisticated cyberattacks are no longer the exclusive problem of the “big guys.”

According to data presented by the U.S. Department of Homeland Security, an estimated 50 to 70 percent of all ransomware attacks are actually made against today’s SMB, which traditionally has fewer resources to either address or absorb such a strike. And when cashflow, reputation and success hinges on preventing downtime, these types of breaches can have devastating consequences.

Workplace Password Malpractice, % Saying ‘Yes’

Do you currently save work-related passwords in a document in the cloud? 49%
Do you currently save work-related passwords in a document on your desktop? 51%
Do you currently save work-related passwords on your phone? 55%
Have you even shared a work-related password via text or email? 38%
Have you ever logged into an online account that belongs to your previous employer after you left? 32%
When creating a new password for a work account, have you ever used your company’s name? 37%
Does your company share passwords for accounts that are used by multiple people? 46%
Do your currently use the same password for personal accounts and work-related accounts? 44%
Do any work-related passwords have your significant others name or birthday in it? 34%
Do any work-related passwords have your child’s name or birthday in it? 31%

Source: Keeper Security; Pollfish

Companies need a plan to account for common mistakes such as credential sharing and poor password creation, elements the majority of SMBs do not have a handle on. For smaller organizations, the harsh reality of passwords is that nearly half of all workers choose their login credentials based on “personal information, meanings and memories,” per NordPass, while less than one-third of staffers create a unique password when setting or resetting their credentials. It’s common for employees to use the same login across multiple accounts, and password-sharing among employees abounds. Meanwhile, according to LastPass, staff can spend as many as six hours per week either verifying identity or managing logins, and as many as 85 passwords are often employed per worker.

The answer for many companies is to go completely, 100 percent passwordless.

 What is Passwordless Authentication?

The notion of eliminating employee logins is inspired by convenience as much as security. Generally speaking, passwordless authentication is any process that can confirm a user’s identity without requiring their credentials (i.e. passwords). As a newer approach, smaller organizations are increasingly using this method because of its effectiveness in reducing or eliminating password theft, whether by scam, misuse or some other exploitation.

Benefits of Passwordless Authentication for IT Infrastructure Benefits of Passwordless Authentication for Employees
Increasing security 69% Quicker authentication 65%
Eliminating risk 58% Fewer passwords to remember 57%
Saving time 54% Convenient access from anywhere 53%
Gaining more control and visibility 53% Streamlined access to multiple applications at once 52%
Saving cost 48% Not updating passwords as often 44%
No benefit 3% Not worrying about password breaches 39%
  No benefits 1%

Source: LastPass, LogMeIn Global Survey

The act of going completely passwordless allows access to be determined only when identity has been validated, either by MFA (multi-factor authentication) or another option. As is often the case with trends in the tech industry, new identity-confirming techniques constantly surface.

 The Push Notification System

Among the more common passwordless options, with push notifications, the user is sent a one-time verification code or link to a previously authenticated device. Assuming that user then completes the required action within the pre-set time, the identity is confirmed, and they are granted access to critical files, software or systems. Like other non-password-based systems, push-based authentication can be employed as either a standalone option or as part of a series of verifying measures.

Unfortunately, as with any type of credentialing, push identity has been hit with some attacks. In particular, users can be bombarded by such prompts – initiated by the bad actor – in the hope that they accidentally complete the verification process. These potentially devastating strikes, which prey upon human error and what has been called “push fatigue,” have grown by as much as 70 percent in recent years, according to research done by Kaspersky Lab.

The ‘Magic’ Link

This form of verification is similar to push notifications in that the user receives a time-sensitive URL with an embedded token, delivered via email or SMS text. In most cases, the employee is given the choice as to which interface the link is delivered, and an active session is opened in a separate browser window. Plus, because the link expires after a pre-set period, any later login attempt is thwarted.

Magic Links can similarly be exploited. They also rely on the 24×7 accessibility of technology, devices and accounts. Without access to all three, one cannot get in.

 The One-Time Password

This single-use credentialling method requires the input of a temporary, automatically generated set of characters that are pushed to one’s email or mobile device. Most often, OTP comes as part of a more-comprehensive MFA system, although it can also function in a standalone manner. Risk is largely limited, although the chance of email or device infiltration could pose a problem.

 Biometric Verification

Far less common, especially in a small business setting, is biometric authentication. This method assesses the physical attributes of the user to ascertain their identity. Typically, the system analyzes distinguishing characteristics such as fingerprints, eyes or other facial characteristics. The biggest benefit is that the traits are unique to the user, thus preventing issues such as password theft or poor judgment.

Potential limitation, meanwhile, relates to the technology’s effectiveness, backend issues such as network and data hacks, other forms of fraud, sensor spoofing and issues related to the integrity of the stored biometric data. Still, these are unlikely.

For many small businesses, sadly, employing across-the-board biometric verification can be a costly process; it requires a unique physical scanner for each individual end user, and cloud-based capabilities are not currently supported. Those favoring biometric and other passwordless systems, however, will readily point out that its cost is more than offset by the money saved in not having critical information stolen.

 The Third-Party Login

Although not traditionally passwordless, the option for third-party credentialling is appealing for many smaller organizations because it removes the need to remember multiple passwords for any number of accounts. Companies such as Google began supporting this concept several years ago, citing the convenience of using just their own credentials to access many different third-party services.

Despite the comfort of being able to forget one’s passwords in this way, this practice has its consequences. On the heels of massive data breaches for companies such as Yahoo, LinkedIn and Facebook, numbering in the millions and billions of victims, the concept of third-party logins can be an ill-advised gamble.

The FIDO Architecture

The concept behind fast identity online (FIDO) includes open-authentication standards for helping providers to leverage passwordless user authentication. These standards came about as a result of the FIDO Alliance, which includes contributions from Microsoft, Apple, Google and others.

FIDO allows the employee to use a device in a manner similar to a physical security card, making aspects such as public key cryptography (PKC) and biometrics more commercially accessible. Using a FIDO-based authenticator allows the organization to generate user credentials with both a private (stored by the authenticator) and public (shared with the service) key component. Popular sites such as Google Accounts, Dropbox, GitHub and Twitter employ FIDO authentication due to its advantages for business (protection), developer (streamlined APIs) and end user (convenience and security) alike.

So, how feasible is passwordless protection? The answer likely depends on the nature of one’s operations. Is sensitive information encrypted? Do employees have their own logins? Is the expenditure practical?

For some, the idea of going passwordless is a great, low-risk investment. These options generally work because they can be easily outsourced and implemented while requiring minimal backend understanding. More importantly, going passwordless limits dangerous exposure as a result of poor decisions or organizational policy.

And for the SMB, any opportunity to limit threat with minimal investment is a win-win.