Expert Opinion Article by David Mahdi, Research Director in IT Leaders Systems, Security and Risk at Gartner
Did you know that today, May 6th is World Password Day? Really, do we need another day to remind us that passwords are all around us. Haven’t we had enough?
As a Gartner analyst that spends quite a bit of time focusing on identity and authentication (IAM); there is a lot to be said about passwords. I won’t spend any time highlighting all the joys (not!) about passwords.
In my previous blog, here I talked about how that this is the time to review, refresh and revitalize your access management and authentication approach.
Perhaps, as it is World Password Day, we could focus on how we could start to move away from passwords.
It is imperative to discuss the problems that passwords bring and find alternative options for going passwordless. From leveraging FIDO tokens, such as Yubikeys, to Google Titan keys, that can provide clients (and users) with token based methods. Mobile phone-based methods; such as leveraging Google Android ability to “Turn your phone into a Security Key”.
Then there is biometrics. From mobile device-based fingerprint readers, to facial recognition, many users have rapidly adopted these methods.
And when it comes to laptops, Microsoft has provided us with some great devices such as their Surface Tablets, and Laptops; both of which offer Windows Hello, where users can use facial recognition instead of passwords.
What does all of this mean? The foundation for passwordless authentication is quickly arriving. But we need to see the standards (such as FIDO) become adopted by hardware and software makers alike.
So, we covered some authentication methods listed above….what about actually eliminating passwords in back-end directories/data stores? Well, that is a whole other issue. Yet, approaches such as FIDO, which leverage Public-Key technology, offer us some hope. Hope that password data stores could be replaced with public keys, which, if exposed don’t pose as a massive issue (versus sensitive passwords; public keys are, well, meant to be public!). Damage could be mitigated if user private keys are kept secure (thus storing these keys in protected hardware and software execution environments). Now we could go on here, and get really deep into the land of PKI and crypto-key management, but I will spare you (feel free to book some time with me, and we can talk more about it ).
This remains a very exciting area of discussion, but overall, I am pleased that we are finally building a good foundation to move away from passwords. So, I guess I should end this with….saying Happy Password Passwordless Day everyone!
