Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

5/28/2019
12:00 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

8 Ways to Authenticate Without Passwords

Passwordless authentication has a shot at becoming more ubiquitous in the next few years. We take a look at where things stand at the moment.
Previous
1 of 9
Next

Image Source: Adobe Stock- Denys Prykhodov

Image Source: Adobe Stock- Denys Prykhodov

So are we finally doing this? Are we finally moving to passwordless authentication?

Microsoft and Google have been pushing this aggressively over the past several months, and Apple has been a major player by being the first out of the box with fingerprint authentication on the iPhone. Most PCs and Mac laptops now offer Touch ID, so inside of a year or two people can use them for passwordless authentication, too.

The industry largely views passwords as outdated and one of the major causes of breaches. According to the Verizon's "2019 Data Breach Investigations Report," more than 80% of breaches leverage stolen or weak passwords. That's why the industry has been pushing for open standards, such as FIDO (Fast Identity Online), which would help security teams and developers more readily deploy passwordless authentication. The FIDO Alliance, which was founded by next-generation authentication company Nok Nok Labs, PayPal, Lenovo, Validity Sensors, Infineon, and Agnitio, first began its development of the passwordless authentication protocol in 2012.

Recent research by Ant Allan, a Gartner analyst who focuses on passwordless authentication, predicts that by 2022, 60% of large and global enterprises and 90% of midsize enterprises will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.

To be sure, vendors have taken notice. Here are eight of the leading passwordless authentication approaches and a look at what needs to happen moving forward.

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Previous
1 of 9
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ScottyTheMenace
100%
0%
ScottyTheMenace,
User Rank: Strategist
6/6/2019 | 5:46:08 PM
Touch ID is not passwordless
Not sure if it was your intent to suggest that it was, but Apple's Touch ID is not passwordless.

In iOS, you still have to set a passcode, and it seems to be the passcode that actually unlocks your device. All Touch ID does is use your fingerprint to fill the passcode into the field. (I don't know the technical details to know that's the case, but it sure seems like that's what's happening.) You're also forced to use the passcode seemingly at random (though it's probably time delimited) and to activate Touch ID after a restart.

I love using Touch ID—it's quite convenient—but its dependence on a typed passcode actually encourages users to use weak passcodes that are easily remembered since they'll eventually need to type it in, and typing the passcode* 984ELBMYAq[[email protected]%t5sM+5{j=9AYH__4jqDr on a touch keyboard is not real fun.

 

* Generated just now. Not any of my passwords. C'mon now, do I look that dumb? DON'T ANSWER THAT!
wibblewibble
100%
0%
wibblewibble,
User Rank: Apprentice
5/30/2019 | 7:49:18 AM
SQRL
Don't forget SQRL! https://www.grc.com/sqrl/sqrl.htm
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.