Passwords are a core issue in computer security. If data is going to be protected there needs to be some way to ensure that only those with a ‘need to know’ know what they need. A crux of the problem is that if a password is sufficiently complex that it is hard to guess then it will be just as difficult to remember. With so many passwords being required for on-line life individuals may use the same password for multiple accounts reducing the security of the most important to that of the most easily breached. A solution is to have the computer generate and remember passwords either individually or as a collection within a virtual vault. Naturally the vault itself needs protecting and that requires another password or some alternate form of security.
Two Factor Authentication (2FA) is commonly used when accessing a Microsoft account from a new device. Other examples include larger PayPal payments, accessing UK self-assessment tax returns and deleting Google accounts. All these implementations involve a message or code being sent to a device and the receiver needing to confirm that data has been received. The originating request or transaction is then approved. The challenge to 2FA is can the device the message is sent to be trusted? Who last updated the device contact details and who is answering that confirmation call or text?
The concept is rapidly developing with Microsoft expanding its passwordless options to ensure that the device rather than who is accessing it is to be trusted.
Conspiracy theorists might sit up now. Computer systems are being asked to trust devices because humans cannot be relied on to keep their access credentials secure. This could be the world of the 1983 film Wargames or of Skynet in the Terminator franchise (1984 onwards). There is no need to panic as it is not the devices themselves making access available but acting as physical keys to unlock access. An example system would be security dongles such as used by the UK NHS without which connected devices cannot access the corporate network.
Biometrics can be used to restrict access to a device; when unlocked the device handles identification for the data store. Fingerprint and facial recognition software is relatively mature so the right device in the right hands will regulate secure access without the need to input or save passwords. The FIDO system is an example process with public/private key authentication used to confirm access from a dedicated device. Where a solution requires a recognition code to be input use of that code can be restricted to a single target machine.
Any implementation needs to consider how long a device is allowed to remain unlocked and if additional verification is required each time access is required or if the account is held open. A device that constantly locks itself will make it hard to engage in any continuous work and is likely to annoy the operator leading to resistance against use of the system. While it is easier for the user and system to check access credentials once and leave the door open this can pose a threat when the user leaves the device unattended. Users need to be educated to lock their devices when not using them with the same logic as locking a computer system when leaving the vicinity of the keyboard.
Passwordless access systems require appropriate hardware to be in place. An organisation will need to either issue suitable devices or enforce a white list of supported employee devices (always a good plan for any ‘Bring Your Own Device’ solution). An employee needs to ensure that they keep any enabled device within reach. If a corporate password is lost then there will be some means to issue another. If a key biometric device is lost or left at home then an employee is severely limited in what work they can do. It should be impossible to get unauthorised access to the device but any organisation will find it a good deal more complex to set up a new device with a biometric device than to reset a password. Making access easier, for example changing from a biometric check to a passcode, makes a system more widely accessible at a cost of reduced security because more devices can access it.
Ideally a security solution will not share passwordless and password based access (except perhaps for limited guest access accounts). Any planned implementation will need to consider which systems can or cannot be set as passwordless. A partial solution would be to aim that all systems required by ‘general’ users are passwordless but others with restricted ‘admin’ use can remain as they are. This would reduce the security risk from the majority of users and their (now redundant) passwords. Any current planned hardware upgrade should consider choosing devices that support passwordless solutions so as not to block out the option to go passwordless in the future.