Farewell passwords, hello passwordless authentication
Passwordless authentication functionality, or authentication that uses biometric or other forms of security keys to make data more secure and provide a seamless experience, will be implemented across more websites and enterprise-grade software vendor products in 2020.
Who hates passwords? You do. I do. We all do. Passwords are an unpopular approach to securing and accessing systems and information; they are easily forgotten, far too numerous, often shared, and insecure. Even tools like password manager software, meant to assist in the secure storage of passwords, are often not properly set up by end users, rendering the user’s passwords insecure. Biometric and physical security-key technologies are moving to replace the password, offering greater security, confidence, and convenience while making management easier and more secure for vendors.
Imagine: Instead of using a password to sign in, you securely sign in with your faceprint or fingerprint on a trusted device. Alternatively, you could use an authenticator app on your personal mobile device or press a button on your USB hardware security key.
The rapidly approaching future of this passwordless authentication relies on the adoption of FIDO Alliance (Fast IDentity Online) standards. What started in 2009 as PayPal and Validity Sensors’ (acquired by Synaptics) vision for unique non-password identification has become an industry standard to help identify online users. Today’s FIDO Alliance members include global tech leaders across payments, telecom, government and healthcare industries and include tech giants such as Amazon, Alibaba, Facebook, and Google. Considering the World Wide Web Consortium (W3C) officially naming WebAuthn, a FIDO-standard, an official web standard in 2019, we are likely to see more adoption in the near future. Currently, FIDO-enabled websites and apps reach over three billion commercial users.
|RELATED: What is FIDO? Learn more about the FIDO Alliance →|
Passwordless authentication works by unlocking a user’s cryptographic log-in credentials with biometric authentication, a physical USB security key, or other non-password factors. For biometric authentication, a user can scan their fingerprint on a fingerprint reader using a laptop, mobile phone, or other device. Alternatively, they could use facial recognition with liveness detection (for example, a selfie-smile to unlock) to ensure it’s a real face using the phone’s camera or any other device. Many identity verification tools offer similar liveness features.
For users who want to use passwordless authentication without biometrics, they can use a FIDO-compliant physical security key like a Yubikey or a FIDO-compliant mobile app. FIDO-confirmed authentication information from your security key or mobile app is transferred to an application or web browser that is FIDO-enabled. FIDO2 cryptographic log-in credentials are unique and cannot track users. With FIDO2, a user’s authentication information, including biometric data, never leaves the user’s device, nor is it stored remotely on a server. This reduces security risks by not requiring companies to store sensitive user data, such as passwords, as they currently do.
Concept Source: Yubico
The benefits of passwordless authentication provide a variety of benefits for different stakeholders.
- End users: Frictionless authentication and account access without the use of passwords.
- Developers: Securely authenticate users using simple application programming interfaces (APIs).
- Businesses: Reduce the risk of storing passwords while employing a scalable, secure, and private authentication solution.
With over 600 FIDO-certified products, including items from well-known businesses such as Bank of America, Ebay, GitHub, Facebook, Google, Salesforce, Microsoft, and Dropbox, FIDO2 standards adoption should be on your company’s 2020 to-do list.
Privacy pros...in the marketing department?
Reinforcing Richie Etwaru, companies have about 18 months to compete on data privacy before it becomes commonplace. If you’re a No. 2 company in a given market, privacy is providing you an opportunity to compete with the No. 1 company. Go for it.
Many companies initially invested in their privacy programs to comply with privacy laws such as the GDPR. After GDPR went into effect in May 2018, companies realized a slew of incidental benefits related to their privacy investments, as reported by Cisco in their 2019 data privacy benchmark study.
|Cisco's study highlighted many important points:|
The most fascinating aspect of these benefits is how privacy drives the velocity of sales. End users are becoming more concerned with how their data is used. The main reason for sales delays? Customers feel uncomfortable with some vendors’ privacy practices. Marketing their privacy program can be a competitive advantage for companies that have invested in data privacy solutions.
Mike Muha, chief information security & privacy officer at WorkForce Software, a vendor of workforce management software, explained that for B2B companies, “linking sales and customer satisfaction to privacy can be a great way to get buy in for privacy programs.” Mike recommends quantifying your company’s specific sales inquiries related to privacy, such as:
- The number of pre-sales requests that consider privacy. These questions usually center on compliance and contracts such as data processing agreements and standard contractual clauses.
- The total amount of new revenue that had one or more privacy-related request. This could include renewals and upsells as well.
- The total number of post-sales requests that consider privacy compliance and contracts.
- The total amount of existing revenue that had one or more privacy requests.
A simple solution companies can develop to answer prospects’ privacy questions is by implementing easy-to-read privacy nutrition labels, or a user-friendly guide that consumers can easily access to understand a vendor’s privacy regulations.
Investment in privacy-related talent is increasing as well. According to a 2019 study conducted by the International Association of Privacy Professionals, the median privacy professional’s salary is about $123,040. This is an $8,000 increase since the last survey in 2017. The privacy professional title with the highest average pay was chief privacy officer. On average, that title comes with a salary of $212,000 when working in the United States at software or hardware organizations.
While most privacy professionals tend to work in companies’ legal departments, the most fascinating aspect of this salary report is that “for organizations with higher annual revenues, the privacy lead was more likely to be in the marketing department.”
Let me repeat that. Big tech companies with big revenues generally have privacy leaders in the marketing department.
What does this tell us? Privacy is not just about compliance, but rather it is becoming a marketable competitive advantage.
Storing biometric data—your device or mine?
Considering new laws and regulations around biometric data storage, more companies will opt to store biometric data on end users’ devices to reduce the risk posed by storing that data.
Biometric authentication is convenient and secure, however, it presents many challenges. Mishandled biometric data has resulted in some of the most expensive lawsuits tech companies have faced to date. For example, Facebook currently faces a $35 billion class-action lawsuit due to its use of facial recognition software on Illinois residents.
Companies considering biometric authentication must properly store users’ biometric data. Where companies choose to store that data depends on their risk tolerance and level of security needs.
There are a few reasons businesses may use biometric authentication.
- Biometrics are easier to use for the end user, and allows them to use passwordless authentication.
- Biometric authentication is useful for anti-fraud measures, especially in sectors such as banking.
- Biometric authentication can reduce the expense of traditional multi-factor authentication methods. This includes reducing or eliminating the cost for some token authentications, such as one time pass (OTC) codes.
A word to the wise: before you collect or store any biometric data, ensure you are adhering to privacy laws that regulate the use of biometric data, such as GDPR, CCPA, BIPA, and other laws. At the most basic level, verifying explicit consent from users prior to collecting, processing, or storing biometric data is a good idea.
Which is best? The benefits of each type of storage depend on your company’s risk tolerance and particular use cases.
Device-centric storage is fantastic for limited liability in storing a user’s sensitive data, as user biometric data remains on users’ own devices. The only breach of this data occurs on the end user’s side, which is outside of corporate responsibilities. Device-centric storage is also useful for high scalability, as it doesn’t require a company’s storage or other IT resources. Conversely, for companies wishing to have more oversight of the authentication process and are willing to take on the risk in the event that data is hacked, server-centric storage may be beneficial. Centralized storage on company servers allows a business to analyze the biometric data stored and improve matching over time. Storing biometric data using distributed storage, where partial pieces of a user’s biometric data are stored separately on both the end user’s device and a company’s centralized server and then merged when a user authenticates, offers the best of both worlds. Distributed storage affords control to both parties and reduces risk for the company in the event of a hack.
Disclaimer: I am not a lawyer and cannot offer legal advice. If you have legal questions, consult an attorney.