President Biden’s recent cybersecurity executive order is officially in motion. As of November 8, 2021, every organisation is mandated to incorporate multi-factor authentication (MFA) and implement a “zero trust” framework into their security system backends. This executive order was spurred into action by several colossal ransomware attacks, most significantly the colonial pipeline cybersecurity breach that rendered much of the East Coast gasless for multiple days. A state of emergency was declared two days later following the attack’s ripple effect on the transportation network.
The executive order was pivotal in spotlighting the widescale impact of credential-stuffing and the importance of MFA, not just for securing critical infrastructures, but mom and pop shops, too. However, the order’s requirements and deadline serve as the tip of the spear as attackers continue to adapt, circumvent and infiltrate networks that already have MFA protocols in place. Microsoft’s recently released Digital Defense Report revealed that Nobelium, the threat actor behind last year’s widely-reported SolarWinds campaign, was a result of password spraying. The headline-grabbing attack, along with many breaches, aren’t elaborate Mission Impossible-type hacking schemes; in fact, many are simply due to confiscated passwords and interrupted MFA processes (e.g., man-in-the-middle strategies). At times, the undetected, widespread attacks could stem from a single compromised password.
This begs the question – why are we married to passwords if it means empowering bad actors? Why are we dealing them the winning hand?
It boils down to convenience, predictability, and simply, complacency. Passwords are embedded in our culture, and to deviate from a human action seems alarming to most individuals. This false sense of security coupled with a laser-focus on “prevention,” rather than “cause,” is leaving the window ajar. Cyber-attacks aren’t a result of implementing the “wrong” product or a poor infrastructure, at the core – in this case, it comes down to the false sense of security that a password provides.
To checkmate bad actors, we need to take out what’s hackable – the password.
Every second, 579 passwords are compromised, leaving people and businesses vulnerable nearly 24/7. Multi-factor authentication isn’t proving to do enough as hackers circumnavigate these barriers, and as technology evolves, so too does the sophistication of these attacks. Hackers have recently automated the bypass of traditional MFA methods, which has exasperated the problem. Now is the time to eliminate the moving target and go passwordless by providing simple, strong and phishing resistant access.
More from Cybersecurity
Debunking Passwordless Authentication – How does it work?
True Passwordless™ MFA does not rely on verifying a “shared secret” – think passwords, PINs, SMS codes, One Time Passwords (OTP), even credit card numbers. There is no centrally-stored credential that can be hacked or stolen. Instead, True Passwordless™ MFA uses public key cryptography, which involves a private-public cryptographic key pair. The private key is stored on the user device — a mobile phone, smart card or security key — while the public key is registered with the authenticating server. On a mobile device, the private key can only be unlocked using biometrics, such as face ID or a fingerprint. In short, users can log in with a simple “glance” at their smartphone.
In order to implement true passwordless authentication, organisations must:
- First, consider users (AKA employees) and their use cases.
It’s important to understand the employees’ needs, behaviours and risk profiles. What kind of mediums do they use – phones, desktops, shared workstations, or a combination of all three? Are they mostly remote, working in an office setting, or hybrid? By understanding their access points, you can then define the safety guidelines when going passwordless.
- Loop in and engage other relevant departments.
Depending on company size, most departments are often siloed – with budgets, decisions and impacts made and measured independently. That said, with a passwordless overhaul, nearly every department – including IT, HR and operations – needs to be in-the-know. By looping in various departments, the teams can more effectively communicate a multi-step approach to going passwordless, as well as highlight the benefits of upgrading the company’s authentication protocols.
- Plan training and support ahead of time.
Like with any IT evolution, less tech-savvy employees will need refreshers and one-on-one support at some point throughout implementation. To make your life easier, share a training plan that includes an FAQ document as well as a communication plan should employees need help. This should only last about a week or so into implementation, so prepare for extra IT staffing hours during that time.
- Create a measurement rubric for success.
This may seem rudimentary, but every C-Suite executive will ask for qualitative and quantitative results from switching to passwordless, particularly since it will affect every login and area of the business. This rubric for success will largely surround bottom-line metrics, particularly those related to saving money and time, and can be revisited in either six or 12-month increments following implementation.
While the above provides guidelines on how to incorporate passwordless MFA into an organisation, every corporation is different, and must be treated as such. Some will require longer lead times to turn over, others will not. But the above will give you a general framework for implementation and ultimate success and put you well on your way to foolproof cybersecurity across the organisation.
By Bojan Simic, Co-Founder, CEO & CTO at HYPR
Bojan Simic is the CEO, Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modelling, and penetration testing. Bojan has a passion for deploying applied cryptography implementations across security-critical software in both the public and private sectors. His extensive experience in decentralised authentication and cryptography have served as the underlying foundation for HYPR technology. Bojan also serves as HYPR’s delegate to the FIDO Alliance board of directors, empowering the alliance’s mission to rid the world of passwords.