Security experts have discussed the demise of the passwords for years. As early as 2004, Bill Gates told the RSA Security Conference that passwords “just don’t meet the challenge for anything you really want to secure.” Change has been slow, but the sudden increase in remote working and the need for enterprises to become touchless as they try to encourage teams back to the office is increasing traction. Here we look at the future of passwordless authentication - using the example of trusted digital identities - and share tips on choosing a solution that works for your organisation.

The move away from passwords was beginning to gain momentum pre-pandemic. Gartner reported an increase in clients asking for information on ‘passwordless’ solutions in 2019. Now Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will put in place passwordless methods by 2022. This is up from 5% in 2018. The many limitations of passwords are well-documented, but the cost of data breaches may be the reason behind this sharp upswing. Stolen credentials – usually passwords – and phishing are the top two causes of data breaches according to the 2019 Verizon Data Breach Incident Report. Each breach costs businesses an average of anywhere between £4M to £8M depending on which studies you read.

A catalyst for change

As in so many other areas, the pandemic has been a catalyst for change. Newly remote workers using BYOD devices and home networks, sharing devices with other family members, and writing down passwords at home all make breaches more likely. And seasoned home workers represent a risk too. 

It also means that enterprises are developing new procedures to mitigate the spread of disease. This includes a thorough examination of any activity that requires workers to touch surfaces. Entering passwords on shared keyboards or touchscreens falls squarely in this area of risk. As does handling physical smart cards or key fobs. Enterprises are expanding their searches from “passwordless” to “passwordless and touchless,” looking to replace physical authenticators. In the quest to go touchless these are items that can be easily eliminated.

The future of passwordless authentication

Using fingerprint or facial recognition often only provides a new front-end way to activate passwords

Common alternatives to passwords are biometrics. But, using fingerprint or facial recognition often only provides a new front-end way to activate passwords. Passwords are still required for authentication after the biometric scan and these live in a central repository vulnerable to hackers. With one successful hack of the central repository, cyber-criminals can swipe thousands of details. In other words, biometrics on their own are not an improvement in security, only a better user experience. They need to be combined with a different approach that adds another layer of security.

A more secure option is to move away from the centralised credential repository to a decentralised model. For example, one based on trusted digital identities. This is where digital certificates are stored on users’ phones. Think of encrypted digital certificates as virtual passports or ID cards that live on a worker’s device. Because they are stored on many separate phones, you are able to build a highly secure decentralised credential infrastructure.

A solution that uses people’s phones is also compatible with touchless authentication systems. You can replace smart cards and key fobs with a phone-based security model and reduce the number of surfaces and items that people touch. This is especially beneficial for workplaces where people have to visit different sites, or for example in healthcare facilities. Replacing smartcards with a phone in a pocket reduces the number of items that clinicians need to take out and use a smartcard between and in different areas, which may have different contamination levels or disease control procedures.

How do trusted digital identities work?  

Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition

Here’s an example installation. You install a unique digital certificate on each user’s mobile device — this is their personal virtual ID card. Authorised users register themselves on their phones using automated onboarding tools. Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition. Once they are authenticated, their device connects to their work computer via Bluetooth and automatically gives them access to the network and their applications with single sign on (SSO). This continues while their phone is in Bluetooth range of their workstation, a distance set by IT. When they leave their desk with their phone, they go out of range and they are automatically logged out of everything.

Five tips on choosing a passwordless solution

  • More automation means less disruption

Consider how you can predict and eliminate unnecessary changeover disruptions. The task of onboarding large or widely dispersed employee populations can be a serious roadblock for many enterprises. Look for a solution that automates this process as much as possible.

  • Scalability and your digital roadmap

Will you maintain remote working? Having a high proportion of your team working remotely means that passwordless solutions will become more of a necessity. Are you expecting to grow or to add new cloud apps and broader connectivity with outside ecosystems? If so, you need password authentication that will scale easily.

  • Encryption needs and regulatory requirements

If your workers are accessing or sharing highly sensitive information or conducting high-value transactions, check that a solution meets all necessary regulatory requirements. The most secure passwordless platforms are from vendors whose solutions are approved for use by government authorities and are FIDO2-compliant.

  • Prioritise decentralization

Common hacker strategies like credential stuffing and exploitation of re-used credentials rely on stealing centralised repositories of password and log-in data. If you decentralise your credentials, then these strategies aren’t viable. Make sure that your passwordless solution goes beyond the front-end, or the initial user log-in and gets rid of your central password repository entirely.

  • Make it about productivity too

Look for a solution that offers single sign on to streamline login processes and simplify omnichannel workflows. For workers, this means less friction, for the enterprise, it means optimal productivity.

Security improvements, productivity gains and user goodwill all combine to form a compelling case for going passwordless. The additional consideration of mitigating disease transmission and bringing peace of mind to employees only strengthens the passwordless argument. The new end goal is to do more than simply replace the passwords with another authenticator. Ideally, enterprises should aspire to touchless workplace experiences that create a safer, more secure and productive workforce.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Xavier Coemelck Regional Vice President Sales & Services, Entrust Datacard

In case you missed it

How is AI Changing the Security Market?
How is AI Changing the Security Market?

Artificial intelligence is more than just the latest buzzword in the security marketplace. In some cases, smarter computer technologies like AI and machine learning (ML) are helping to transform how security operates. AI is also expanding the industry’s use cases, sometimes even beyond the historic province of the security realm. It turns out that AI is also a timely tool in the middle of a global pandemic. We asked this week’s Expert Panel Roundtable: How is artificial intelligence (AI) changing the security market?

Moving to Sophisticated Electric Locking
Moving to Sophisticated Electric Locking

In part one of this feature, we introduced the shotbolt – a solenoid actuator – as the workhorse at the heart of most straightforward electric locking systems. Shotbolts remain at the core of most sophisticated electric locking solutions as well. But they are supplemented by materials and technologies that provide characteristics suited to specialist security applications. Here we look at some more demanding electric locking applications and contemporary solutions. Preventing forced entry Where the end of the shotbolt is accessible, the electric holding force can be overcome by physical force. That’s why anti-jacking technology is now a frequent feature of contemporary electric solenoid lock actuators. Anti-jacking, dead-locking or ‘bloc’ technology (the latter patented by MSL) is inherent to the way the locking assembly is designed to suit the requirements of the end application. The patented bloc anti-jacking system is highly effective and incorporated into many MSL shotbolts deployed in electric locking applications. The bloc technology uses a ring of steel balls in a shaped internal housing to physically jam the actuated bolt in place. A range of marine locks is widely used on Superyachts for rapid lockdown security from the helm Real life applications for MSL anti-jacking and bloc-equipped shotbolts include installation in the back of supermarket trucks to secure the roller shutter. Once locked from the cab, or remotely using radio technology, these shutters cannot be forced open by anyone with ‘undesirable intentions’ armed with a jemmy. A range of marine locks is widely used on Superyachts for rapid lockdown security from the helm. While anti-jacking features are an option on these shotbolts, consideration was given to the construction materials to provide durability in saltwater environments. Marine locks use corrosion-proof stainless steel, which is also highly polished to be aesthetically pleasing to suit the prestigious nature of the vessel while hiding the innovative technology that prevents the lock being forced open by intruders who may board the craft. Rotary and proportional solenoids sound unlikely but are now common A less obvious example of integrated technology to prevent forced override is a floor lock. This lock assembly is mounted beneath the floor with round-top stainless-steel bolts that project upwards when actuated. They are designed to lock all-glass doors and are arguably the only discreet and attractive way to lock glass doors securely. In a prestigious installation at a historic entranceway in Edinburgh University, the floor locks are remotely controlled from an emergency button behind the reception desk. They act on twin sets of glass doors to quickly allow the doors to close and then lock them closed with another set of subfloor locks. No amount of stamping on or hitting the 15mm protruding bolt pin will cause it to yield, thus preventing intruders from entering. Or leaving! Explosion proofing In many environments, electric locking technology must be ATEX certified to mitigate any risk of explosion. For example, remote electric locking is used widely on oil and gas rigs for stringent access control, general security and for emergency shutter release in the event of fire. It’s also used across many industrial sectors where explosion risks exist, including flour milling, In many environments, electric locking technology must be ATEX certified to mitigate any risk of explosionpowder producers, paint manufacture, etc. This adds a new dimension to the actuator design, demanding not only intrinsically safe electrical circuits and solenoid coils, but the careful selection of metals and materials to eliminate the chance of sparks arising from moving parts. Resilience under pressure The technology boundaries of solenoids are always being pushed. Rotary and proportional solenoids sound unlikely but are now common. More recently, while not directly related to security in the traditional sense, proportional solenoid valves for accurately controlling the flow of hydrogen and gases now exist. Magnet Schultz has an extensive and somewhat innovative new range of hydrogen valves proving popular in the energy and automotive sectors (Fig. 2-6). There’s a different kind of security risk at play here when dealing with hydrogen under pressures of up to 1050 bar. Bio security Less an issue for the complexity of locking technology but more an imperative for the effectiveness of an electric lock is the frequent use of shotbolts in the bio research sector. Remote electric locking is commonplace in many bioreactor applications. Cultures being grown inside bioreactors can be undesirable agents, making 100% dependable locking of bioreactor lids essential to prevent untimely access or the unwanted escape of organisms. Again, that has proven to be topical in the current climate of recurring coronavirus outbreaks around the world. More than meets the eye In part one, I started by headlining that there’s more to electric lock actuation in all manner of security applications than meets the eye and pointed out that while electric locking is among the most ubiquitous examples of everyday security, the complexity often involved and the advanced technologies deployed typically go unnoticed.Integrating the simplest linear actuator into a complex system is rarely simple For end users, that’s a very good thing. But for electro-mechanical engineers designing a system, it can present a challenge. Our goal at Magnet Schultz is to provide a clearer insight into today’s electric locking industry sector and the wide range of locking solutions available – from the straightforward to the specialized and sophisticated. Integrating the simplest linear actuator into a complex system is rarely simple. There’s no substitute for expertise and experience, and that’s what MSL offers as an outsource service to designers. One benefit afforded to those of us in the actuator industry with a very narrow but intense focus is not just understanding the advantages and limitations of solenoid technology, but the visibility of, and participation in, emerging developments in the science of electric locking. Knowing what’s achievable is invaluable in every project development phase.

Key Considerations for Robust Residential Security
Key Considerations for Robust Residential Security

In the UK, one burglary occurs every 106 seconds. This means by the time you've finished reading this article, at least three will have taken place. Selecting robust physical security options to protect property boundaries and homes is essential to limit crime rates and deter opportunistic intruders. With 58% of burglaries said to take place while the homeowner is in, it seems that even the second wave of lockdowns, and an increased number of people confined to their homes, won't do much to eliminate the risk of burglary. Prioritise security for peace of mind Security is paramount, and in the case of new build projects, should be considered from the very beginning of the design process, not as an afterthought. When it comes to securing pre-existing buildings, there are countless security options which will ensure the perimeter is robust enough to withstand opportunistic attacks. It's also worth noting that security features don't have to be complicated. There are plenty of high-tech digital systems flooding the market, which can go a long way to reduce the risk of burglary and will provide peace of mind to the end user. However, this article will demonstrate how traditional security measures, such as high-quality perimeter fencing, can ensure practical safeguarding of properties for years to come.  Selecting robust physical security options to protect property boundaries and homes is essential to limit crime rates Timber! There are a number of different materials which can be specified to create a strong boundary. From metal railings, to timber fence panels, they will each help deter criminals somewhat. Wooden fence panels are a popular choice for their appearance, and the right product and installation can help to increase security.Our timber acoustic fencing can also reduce noise by up to 32dB and has a solid face with no hand or footholds, while still retaining the attractive natural timber aesthetic of a typical garden fence. However, maintenance is key, and one of the first thing burglars will notice is the condition a fence is in, rather than a particular style. Therefore, old, broken or rotten fence panels are a green light for opportunistic thieves. These can be easily broken or bypassed with minimal effort. When specifying fences as part of a new build housing development, we would suggest opting for high-quality timber, as this will ensure that it is protected against rot. Look for products with an extended guarantee or those that don't need additional treatment over the years. The condition of the fence should still be regularly inspected, and simple methods such as clearing piles of leaves away from the base of the boundary can help to prevent rot which weakens the timber.  Securing fence panels The recent rising cost of timber has led to a dramatic increase in fence panel theft, and panels that can be lifted from the posts are an easy target. Mitigate this risk by screwing the fence panels into the posts. This makes it much harder for the panels to be removed from the posts and creates a more secure barrier.  Concrete posts do offer benefits, but we always advise on timber posts for any fencing. They're strong, just like concrete, but they continue the same natural theme as the rest of the fence. Moreover, if you screwed the panels to concrete posts, they would most likely crack and become damaged, and then be at risk to the elements.  Astute design Design is also important. Installing fence rails on the inside of properties to prevent them from being used as climbing aids is highly recommended. Even better, using panels without rails on high-end developments is a clever tip if you want a secure fence with a high-spec look. Security features don't have to be complicated High fences with solid panels and no gaps in between make it considerably harder for potential burglars to climb over. They also offer better privacy to conceal rear garden areas from intruders, and are much sturdier than other alternative panels.  One common mistake is designing in features such as trees or children's climbing frames too close to the boundary. These can be used by burglars as climbing aids when attempting to scale the fence, making access easy. Investigate the surrounding area, which flanks the outside of the property boundary, as an unfortunately placed bin or bench can also help criminals gain entry. If the removal of these items is not possible, designing in a spiky bush can help deter intruders. It's also worth noting that gardens with numerous large features such as bushes or sheds can also negatively impact the level of security. A clear line of sight across the entire garden is highly recommended where possible. If this view is blocked, it's considerably easy for intruders to hide undetected. Front gardens  While tall, solid fence panels are recommended for rear gardens to prevent intruders from being able to see in and climb over, the opposite is true for front gardens. For street-facing gardens, a low fence or hedge is recommended to provide a clear view from the house. It also makes it much harder for intruders to hide from passers-by or neighbours, who can raise the alarm during a burglary. Another useful security technique to consider is a gravel drive. These create noise, which means the homeowner will know when it is in use. Pair this with a strong boundary fence, the likelihood of burglary dramatically decreases. This article only scratches the surface in unveiling the sheer volume of effective home security options on offer to protect homes and gardens. These investments can help minimize the risk of traumatic break-ins, while also simultaneously boosting the aesthetic of the property and its surroundings.