In the ongoing battle against malicious attacks, security vendors are having to come up with stronger solutions to secure our online identities and prevent the bad guys from gaining access to our crown jewels.
Passwordless authentication represents a paradigm shift in cybersecurity, moving away from traditional password-based security measures to more advanced and secure methods. By eliminating passwords, organisations can significantly reduce the risk of data breaches that often exploit weak or stolen credentials.
But here's a thought....
How many people / companies are actually leveraging these new capabilities?
My gut feeling is not many (happy to be proven wrong) and here's why.
Learning
Introducing a technology requires a training program across the business to not only educate employees on how it works, but also to get their buy-in. Let's be honest, how many non-IT people really like having to learn new fangled systems just so they can do their day job?
I'll wait......
still waiting.......
Architecture
Going passwordless requires a significant amount of architectural input to design the future state but also assist with recommending suitable migration methods with minimal service impact. That takes time and resource!
Implementation Costs
Depending on the existing environment, number of employees and their location can affect the costs of migrating to a new authentication solution.
Does everyone have a mobile phone?
If you're moving to FIDO2 keys, you'll really need two per person and they're not super cheap.
Ongoing Support
Have you covered off all potential outcomes, because IT systems have a habit of throwing a curveball when you least expect it.
You'll need a solution to help an end user login in the event they've lost their hardware token or mobile phone.
How will you verify they are who they say they are?
Do you still want to have Multi-factor Authentication support as a fallback? Does that defeat the point of moving to Passwordless?
So what's the best option?
My personal view it's down to the company's risk appetite. If they're being continuously hit by successful phishing attacks, are there other areas that can be addressed in the short term that are quicker and cheaper to minimise those threats? Some examples may include:
Email security configuration
Identifying high risk persons within the business and focusing improvements to them first
Looking in to better security awareness training
Password safes to prevent simple passwords being used or shared across online accounts
Security isn't resolved by a shiny new product. It's a complex beast that requires in-depth discussions, reviews, audits and recommendations based on risk appetite.
Security Ninja has the experience to have those discussions and identify what's the best fit for your business. Tailoring the right control measures not just the latest and greatest.
Comments