Security experts have discussed the demise of the passwords for years. As early as 2004, Bill Gates told the RSA Security Conference that passwords “just don’t meet the challenge for anything you really want to secure.” Change has been slow, but the sudden increase in remote working and the need for enterprises to become touchless as they try to encourage teams back to the office is increasing traction. Here we look at the future of passwordless authentication - using the example of trusted digital identities - and share tips on choosing a solution that works for your organisation.

The move away from passwords was beginning to gain momentum pre-pandemic. Gartner reported an increase in clients asking for information on ‘passwordless’ solutions in 2019. Now Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will put in place passwordless methods by 2022. This is up from 5% in 2018. The many limitations of passwords are well-documented, but the cost of data breaches may be the reason behind this sharp upswing. Stolen credentials – usually passwords – and phishing are the top two causes of data breaches according to the 2019 Verizon Data Breach Incident Report. Each breach costs businesses an average of anywhere between £4M to £8M depending on which studies you read.

A catalyst for change

As in so many other areas, the pandemic has been a catalyst for change. Newly remote workers using BYOD devices and home networks, sharing devices with other family members, and writing down passwords at home all make breaches more likely. And seasoned home workers represent a risk too. 

It also means that enterprises are developing new procedures to mitigate the spread of disease. This includes a thorough examination of any activity that requires workers to touch surfaces. Entering passwords on shared keyboards or touchscreens falls squarely in this area of risk. As does handling physical smart cards or key fobs. Enterprises are expanding their searches from “passwordless” to “passwordless and touchless,” looking to replace physical authenticators. In the quest to go touchless these are items that can be easily eliminated.

The future of passwordless authentication

Using fingerprint or facial recognition often only provides a new front-end way to activate passwords

Common alternatives to passwords are biometrics. But, using fingerprint or facial recognition often only provides a new front-end way to activate passwords. Passwords are still required for authentication after the biometric scan and these live in a central repository vulnerable to hackers. With one successful hack of the central repository, cyber-criminals can swipe thousands of details. In other words, biometrics on their own are not an improvement in security, only a better user experience. They need to be combined with a different approach that adds another layer of security.

A more secure option is to move away from the centralised credential repository to a decentralised model. For example, one based on trusted digital identities. This is where digital certificates are stored on users’ phones. Think of encrypted digital certificates as virtual passports or ID cards that live on a worker’s device. Because they are stored on many separate phones, you are able to build a highly secure decentralised credential infrastructure.

A solution that uses people’s phones is also compatible with touchless authentication systems. You can replace smart cards and key fobs with a phone-based security model and reduce the number of surfaces and items that people touch. This is especially beneficial for workplaces where people have to visit different sites, or for example in healthcare facilities. Replacing smartcards with a phone in a pocket reduces the number of items that clinicians need to take out and use a smartcard between and in different areas, which may have different contamination levels or disease control procedures.

How do trusted digital identities work?  

Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition

Here’s an example installation. You install a unique digital certificate on each user’s mobile device — this is their personal virtual ID card. Authorised users register themselves on their phones using automated onboarding tools. Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition. Once they are authenticated, their device connects to their work computer via Bluetooth and automatically gives them access to the network and their applications with single sign on (SSO). This continues while their phone is in Bluetooth range of their workstation, a distance set by IT. When they leave their desk with their phone, they go out of range and they are automatically logged out of everything.

Five tips on choosing a passwordless solution

  • More automation means less disruption

Consider how you can predict and eliminate unnecessary changeover disruptions. The task of onboarding large or widely dispersed employee populations can be a serious roadblock for many enterprises. Look for a solution that automates this process as much as possible.

  • Scalability and your digital roadmap

Will you maintain remote working? Having a high proportion of your team working remotely means that passwordless solutions will become more of a necessity. Are you expecting to grow or to add new cloud apps and broader connectivity with outside ecosystems? If so, you need password authentication that will scale easily.

  • Encryption needs and regulatory requirements

If your workers are accessing or sharing highly sensitive information or conducting high-value transactions, check that a solution meets all necessary regulatory requirements. The most secure passwordless platforms are from vendors whose solutions are approved for use by government authorities and are FIDO2-compliant.

  • Prioritise decentralization

Common hacker strategies like credential stuffing and exploitation of re-used credentials rely on stealing centralised repositories of password and log-in data. If you decentralise your credentials, then these strategies aren’t viable. Make sure that your passwordless solution goes beyond the front-end, or the initial user log-in and gets rid of your central password repository entirely.

  • Make it about productivity too

Look for a solution that offers single sign on to streamline login processes and simplify omnichannel workflows. For workers, this means less friction, for the enterprise, it means optimal productivity.

Security improvements, productivity gains and user goodwill all combine to form a compelling case for going passwordless. The additional consideration of mitigating disease transmission and bringing peace of mind to employees only strengthens the passwordless argument. The new end goal is to do more than simply replace the passwords with another authenticator. Ideally, enterprises should aspire to touchless workplace experiences that create a safer, more secure and productive workforce.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Xavier Coemelck Regional Vice President Sales & Services, Entrust Datacard

In case you missed it

How Have Security Solutions Failed Our Schools?
How Have Security Solutions Failed Our Schools?

School shootings are a high-profile reminder of the need for the highest levels of security at our schools and education facilities. Increasingly, a remedy to boost the security at schools is to use more technology. However, no technology is a panacea, and ongoing violence and other threats at our schools suggest some level of failure. We asked this week’s Expert Panel Roundtable: How have security solutions failed our schools and what is the solution?

Why Visualization Platforms Are Vital For An Effective Security Operation Center (SOC)
Why Visualization Platforms Are Vital For An Effective Security Operation Center (SOC)

Display solutions play a key role in SOCs in providing the screens needed for individuals and teams to visualize and share the multiple data sources needed in an SOC today. Security Operation Center (SOC) Every SOC has multiple sources and inputs, both physical and virtual, all of which provide numerous data points to operators, in order to provide the highest levels of physical and cyber security, including surveillance camera feeds, access control and alarm systems for physical security, as well as dashboards and web apps for cyber security applications. Today’s advancements in technology and computing power not only have increasingly made security systems much more scalable, by adding hundreds, if not thousands, of more data points to an SOC, but the rate at which the data comes in has significantly increased as well. Accurate monitoring and surveillance This has made monitoring and surveillance much more accurate and effective, but also more challenging for operators, as they can’t realistically monitor the hundreds, even thousands of cameras, dashboards, calls, etc. in a reactive manner. Lacking situational awareness is often one of the primary factors in poor decision making In order for operators in SOC’s to be able to mitigate incidents in a less reactive way and take meaningful action, streamlined actionable data is needed. This is what will ensure operators in SOC truly have situational awareness. Situational awareness is a key foundation of effective decision making. In its simplest form, ‘It is knowing what is going on’. Lacking situational awareness is often one of the primary factors in poor decision making and in accidents attributed to human error. Achieving ‘true’ situational awareness Situational awareness isn’t just what has already happened, but what is likely to happen next and to achieve ‘true’ situational awareness, a combination of actionable data and the ability to deliver that information or data to the right people, at the right time. This is where visualization platforms (known as visual networking platforms) that provide both the situational real estate, as well as support for computer vision and AI, can help SOCs achieve true situational awareness Role of computer vision and AI technologies Proactive situational awareness is when the data coming into the SOC is analyzed in real time and then, brought forward to operators who are decision makers and key stakeholders in near real time for actionable visualization. Computer vision is a field of Artificial Intelligence that trains computers to interpret and understand digital images and videos. It is a way to automate tasks that the human visual system can also carry out, the automatic extraction, analysis and understanding of useful information from a single image or a sequence of images. There are numerous potential value adds that computer vision can provide to operation centers of different kinds. Here are some examples: Face Recognition: Face detection algorithms can be applied to filter and identify an individual. Biometric Systems: AI can be applied to biometric descriptions such as fingerprint, iris, and face matching. Surveillance: Computer vision supports IoT cameras used to monitor activities and movements of just about any kind that might be related to security and safety, whether that's on the job safety or physical security. Smart Cities: AI and computer vision can be used to improve mobility through quantitative, objective and automated management of resource use (car parks, roads, public squares, etc.) based on the analysis of CCTV data. Event Recognition: Improve the visualization and the decision-making process of human operators or existing video surveillance solutions, by integrating real-time video data analysis algorithms to understand the content of the filmed scene and to extract the relevant information from it. Monitoring: Responding to specific tasks in terms of continuous monitoring and surveillance in many different application frameworks: improved management of logistics in storage warehouses, counting of people during event gatherings, monitoring of subway stations, coastal areas, etc. Computer Vision applications When considering a Computer Vision application, it’s important to ensure that the rest of the infrastructure in the Operation Center, for example the solution that drives the displays and video walls, will connect and work well with the computer vision application. The best way to do this of course is to use a software-driven approach to displaying information and data, rather than a traditional AV hardware approach, which may present incompatibilities. Software-defined and open technology solutions Software-defined and open technology solutions provide a wider support for any type of application the SOC may need Software-defined and open technology solutions provide a wider support for any type of application the SOC may need, including computer vision. In the modern world, with everything going digital, all security services and applications have become networked, and as such, they belong to IT. AV applications and services have increasingly become an integral part of an organization’s IT infrastructure. Software-defined approach to AV IT teams responsible for data protection are more in favor of a software-defined approach to AV that allow virtualised, open technologies as opposed to traditional hardware-based solutions. Software’s flexibility allows for more efficient refreshment cycles, expansions and upgrades. The rise of AV-over-IP technologies have enabled IT teams in SOC’s to effectively integrate AV solutions into their existing stack, greatly reducing overhead costs, when it comes to technology investments, staff training, maintenance, and even physical infrastructure. AV-over-IP software platforms Moreover, with AV-over-IP, software-defined AV platforms, IT teams can more easily integrate AI and Computer Vision applications within the SOC, and have better control of the data coming in, while achieving true situational awareness. Situational awareness is all about actionable data delivered to the right people, at the right time, in order to address security incidents and challenges. Situational awareness is all about actionable data delivered to the right people Often, the people who need to know about security risks or breaches are not physically present in the operation centers, so having the data and information locked up within the four walls of the SOC does not provide true situational awareness. hyper-scalable visual platforms Instead there is a need to be able to deliver the video stream, the dashboard of the data and information to any screen anywhere, at any time — including desktops, tablets phones — for the right people to see, whether that is an executive in a different office or working from home, or security guards walking the halls or streets. New technologies are continuing to extend the reach and the benefits of security operation centers. However, interoperability plays a key role in bringing together AI, machine learning and computer vision technologies, in order to ensure data is turned into actionable data, which is delivered to the right people to provide ‘true’ situational awareness. Software-defined, AV-over-IP platforms are the perfect medium to facilitate this for any organizations with physical and cyber security needs.

Securing Mobile Vehicles: The Cloud and Solving Transportation Industry Challenges
Securing Mobile Vehicles: The Cloud and Solving Transportation Industry Challenges

Securing Intelligent Transportation Systems (ITS) in the transportation industry is multi-faceted for a multitude of reasons. Pressures build for transit industry players to modernise their security systems, while also mitigating the vulnerabilities, risks, and growth-restrictions associated with proprietary as well as integrated solutions. There are the usual physical security obstacles when it comes to increasingly integrated solutions and retrofitting updated technologies into legacy systems. Starting with edge devices like cameras and intelligent sensors acquiring video, analytics and beyond, these edge devices are now found in almost all public transportation like buses, trains, subways, airplanes, cruise lines, and so much more. You can even find them in the world’s last manually operated cable car systems in San Francisco. The next layer to consider is the infrastructure and networks that support these edge devices and connect them to centralized monitoring stations or a VMS. Without this layer, all efforts at the edge or stations are in vain as you lose the connection between the two. And the final layer to consider when building a comprehensive transit solution is the software, recording devices, or viewing stations themselves that capture and report the video. The challenge of mobility However, the transportation industry in particular has a very unique challenge that many others do not – mobility. As other industries become more connected and integrated, they don’t usually have to consider going in and out or bouncing between networks as edge devices physically move. Obviously in the nature of transportation, this is key. Have you ever had a bad experience with your cellular, broadband or Wi-Fi at your home or office? You are not alone. The transportation industry in particular has a very unique challenge that many others do not – mobility Can you trust these same environments to record your surveillance video to the Cloud without losing any frames, non-stop 24 hours a day, 7 days a week, 365 days a year? To add to the complexity – how do you not only provide a reliable and secure solution when it’s mobile, traveling at varying speeds, and can be in/out of coverage using various wireless technologies? Waiting to upload video from a transport vehicle when it comes into port, the station, or any centralized location is a reactive approach that simply will not do any longer. Transit operations require a more proactive approach today and the ability to constantly know what is going on at any given time on their mobile vehicles, and escalate that information to headquarters, authorities, or law enforcement if needed; which can only occur with real-time monitoring. This is the ultimate question when it comes to collecting, analyzing, and sharing data from mobile vehicles – how to get the video from public transportation vehicles alike to headquarters in real time! Managing video data In order to answer this question, let’s get back to basics. The management and nature of video data differs greatly from conventional (IT) data. Not only is video conducted of large frames, but there are specific and important relationships among the frames and the timing between them. This relationship can easily get lost in translation if not handled properly. This is why it’s critical to consider the proper way to transmit large frames while under unstable or variable networks. The Internet and its protocols were designed more than two decades ago and purposed for conventional data. Although the Internet itself has not changed, today’s network environments run a lot faster, expand to further ranges, and support a variety of different types of data. Because the internet is more reliable and affordable than in the past some might think it can handle anything. However, it is good for data, but not for video. This combination makes it the perfect time to convert video recording to the Cloud! Video transmission protocol One of the main issues with today’s technology is the degradation of video quality when transmitting video over the Internet. ITS are in dire need for reliable transmission of real-time video recording. To address this need a radical, yet proven, video transmission protocol has recently been introduced to the market. It uses AI technology and to adapt to different environments in order to always deliver high quality, complete video frames. This protocol, when equipped with encryption and authentication, enables video to be transmitted reliably and securely over the Internet in a cloud environment. One of the main issues with today’s technology is the degradation of video quality when transmitting video over the Internet Finally, transportation industry has a video recording Cloud solution that is designed for (massive) video that can handle networks that might be experiencing high error rate. Such a protocol will not only answer the current challenges of the transportation industry, but also make the previously risky Cloud environment safe for even the most reserved environments and entities. With revolutionary transmission protocols, the time is now to consider adopting private Cloud for your transportation operations.