Security

Passwordless Authentication Is Within Reach for Government Agencies

Novel cyberattacks and significant innovation in user authentication give agencies both the motivation and the means to achieve a passwordless user experience.

Matt McLaughlin

Twitter

Matt is a regular contributor to the CDW Tech Magazines.

Passwords get a lot of hate, and most of it is warranted. They’re not easy to remember or manage, especially for state and local agencies that lack access to password managers or single sign-on technologies. Users often take matters into their own hands by using the same passwords at work that they use for their personal accounts — which may or may not be compromised — or by falling back on simple, easy-to-remember phrases and numerical combinations.

Earlier this year, SpyCloud revealed that “12345” and “password” were still popular .gov email passwords in 2023. The report also revealed that the number of reused passwords increased in 2023. To make matters worse, the number of .gov email passwords breached was higher than any prior year.

Traditional password authentication is also operationally demanding for the IT teams that manage them.

“The need to manage passwords and overcome problems related to them leads to massive frustration and lost productivity,” writes Jeremiah Salzberg, chief security technologist for CDW.

Click on the banner to learn how to improve your IAM solutions.

Between the complexity of password management and the inherent security shortfalls, it’s easy to see the allure of a passwordless world. The idea of replacing passwords with more secure, intuitive forms of authentication is not novel.

However, authentication technology has swiftly advanced in the past 10 years, and government agencies are closer than ever to having everything they need to finally deliver a truly passwordless user experience.

Passwordless Authentication Promises Simpler Security

Password weaknesses have become more of an issue in recent years as cybercriminals have started using tools such as artificial intelligence to enhance their attacks. AI can be used not only for common attack techniques such as phishing but also for cracking passwords. Theft is another significant vulnerability for passwords: A March 2024 Keeper report revealed that 52% of IT leaders said their IT teams struggle with frequently stolen passwords.

The time for passwordless authentication is here, and organizations should start moving toward it.”

Jeremiah Salzberg Chief Security Technologist, CDW

The prospect of no longer having to deal with passwords holds significant appeal for IT professionals and users. In fact, 56% of internet users said they are excited about passwordless authentication, according to a 2023 Bitwarden survey.

This excitement is well founded, as organizations can see significant benefits from going passwordless. According to security vendor CyberArk, “Passwordless Authentication strengthens security by eliminating risky password management practices and reducing attack vectors. It also improves user experiences by eliminating password and secrets fatigue.”

Learn why citizens can benefit from identity management.

See how state CIOs focus on cybersecurity and identity management.

Tools That Support Passwordless Authentication

A variety of technologies have emerged to help companies achieve their passwordless objectives. One example is biometric authentication. According to security vendor Okta, “Biometric authentication is a security process that uses unique biological characteristics like fingerprints, eye patterns, facial recognition, and voice analysis to confirm and verify a person’s identity before granting them access to a physical space or digital system.”

Biometric solutions can provide a higher level of security because the unique identifiers they rely on are difficult to replicate or hack. They also are generally faster and more convenient for users than many other authorization techniques, which improves the user experience. This makes it simpler for a company to implement continuous authentication, where identity is verified at regular intervals while users are logged in to a system, improving security.

Push notifications are another tool for passwordless authentication. Solutions such as Microsoft Authenticator can send a push notification to a user’s registered mobile device. The notification includes details about the authentication attempt and enables the user to approve or deny it.

Beyond eliminating passwords, push notifications and biometrics can also vastly improve the user experience for agencies currently using physical tokens as second factors. Tokens can easily be lost or simply forgotten at home or in the office for what has become an increasingly hybrid workforce at the state and local levels.

DIVE DEEPER: Passwordless authentication can support zero trust architecture.

Passwordless authentication can also be enabled by the Web Authentication API (also known as WebAuthn). This application programming interface, which was created by the FIDO Alliance and World Wide Web Consortium, enables state and local agencies to authenticate users via public key cryptography instead of passwords. By creating a private-public key pair, the API allows a server to deploy strong authenticators built into devices to verify the identity of authorized users.

Several other tools — including smart cards, QR codes and mobile one-time passcode generators such as Google Authenticator — can also help agencies establish passwordless authentication. Experts suggest that agencies start looking now at how they may deploy solutions such as these to finally rid themselves of the headaches that passwords have created for decades.

“The time for passwordless authentication is here,” CDW’s Salzberg writes. “We still face some challenges to getting rid of passwords altogether, and we need to ensure we are using the most secure multifactor authentication options for our most critical systems.”

mapodile/Getty Images