How do you strengthen your identity verification processes? Most organizations go the route of stronger password policies and tight password management. However, did you know that passwords are inherently among the most vulnerable components of your organization’s cybersecurity environment?
The risks of password-based login
When you use passwords as the primary key to your secure assets and data, you open up your systems to certain risks: weak password policies, improperly shared access, database hacks, credential stuffing and social engineering.
Weak passwords due to improper policies
Poor policies could permit the use of very weak passwords. On the other hand, very stringent rules result in employees hunting for workarounds. If you’re using password-based authentication, prioritize a password policy management module in your IAM.
Database breaches
Since user credentials are stored in a single centralized database, the database is naturally under some risk of hacking. Passwordless authentication does away with this risk, since there’s no centralized database of passwords to be breached.
Credential stuffing attacks
It’s common for employees to use the same password on multiple websites, from the local movie theater’s online booking system to your business applications. If the movie theater happens to get hacked, your business-critical assets are suddenly vulnerable.
Social engineering attacks
When creating a password, users gravitate towards names and dates of personal importance. These details aren’t public, but they can be discovered! Malicious actors can learn such data from in-person social interactions or from social media, and crack the user’s login.
Enter passwordless authentication
How do you avoid passwords in your identity verification process? Passwordless authentication is a zero-trust login method that works well with modern applications and systems. It entirely does away with credentials based on the username-password dynamic. Instead, passwordless authentication is typically device-centric, where a previously approved action needs to be taken on a verified device (smartphone, personal computer or hard token) to authenticate a user.
The credentials are non-shareable and are not stored centrally. No passwords are shared with users, and they cannot be inappropriately shared or compromised, meaning unauthorized individuals cannot access your business-critical assets even if they were to obtain a user’s credentials. Credential stuffing, social engineering and hacking attacks are not just unlikely; they’re impossible. As a system administrator, you don’t need to worry about the strength of your users’ passwords or the frequency with which they’re updating them.
The benefits of passwordless authentication
- As discussed above, it strengthens the security of identity credentials
- It improves user experience for administrators, business management and users too
- It simplifies the login experience for the user
- It reduces long-term IT costs, as fewer support tickets are raised
How does passwordless authentication work?
You could use a number of techniques to enable passwordless authentication. These include hard tokens, OTPs, private keys, magic links, push notifications and QR codes.
Passwordless authentication is based entirely on a device or object that the user already possesses.
- QR codes can be scanned by a specific application downloaded on the user’s mobile phone.
- Hard tokens are physical devices that provide users with direct access to specific software.
- OTPs, push notifications and magic links could be connected to mobile devices, a phone number or an email address.
- Private keys are stored on the user’s approved devices; these alphanumeric strings are used in association with a public key to verify the user’s identity.
Akku and blockchain-based identity management
Akku’s upcoming blockchain-based identity management method has added a new layer of security to the customizable IAM solution. Using a private distributed ledger, the Akku blockchain-based IAM is virtually unhackable and extremely secure. At the same time, this revolutionary technology is user-friendly and accessible.
Using the new system, your administrator would provision new users exactly as they did earlier on the original Akku system. Each user would be provided with credentials consisting of a public key stored on the blockchain servers, and a private key pushed to the user. Blockchain credentials are created based on the decentralized identifier that your organization chooses. This could be an email ID, employee ID, or any other unique identifier.
Once their access has been provisioned, employees download the Akku app and enter their decentralized credentials. On the Akku login page, they will see a QR code which needs to be scanned through the Akku application. They will then receive a private key, and their access is activated.
This QR code based passwordless authentication method is enabled by the use of blockchain credentials with each user’s public key being stored on the blockchain, and their private key being stored in a blockchain wallet on their approved device – in this case the wallet being the Akku app.
The use of the QR code based passwordless authentication method eliminates some of the risks associated with other forms of passwordless authentication. This includes as SIM swapping or cloning in the case of OTP based methods, and biometric hacks in the case of fingerprint or retina scan methods.
Do reach out to our team to learn more about the blockchain and its use in identity and access management. Get in touch with us today.
