“There is no doubt that over time, people are going to rely less and less on passwords… they just don’t meet the challenge for anything you want to secure,” said Bill Gates. That was 17 years ago. Although passwords have lost some of their charms, they have survived many attempts to kill them for good. The move to zero trust systems is acting as a catalyst. The perception of high cost and tricky implementations has stalled some smaller businesses from ditching passwords. But alternatives to passwords are affordable, easy to implement, and safer, showing industry insights gathered by Extra Crunchy. First, a primer. Zero trust focuses on who you are, not where you are. Zero trust models require companies never to trust any attempt to access their network and verify every single time — even from logins inside the network. Passwordless tech is a crucial part of zero-trust models. There are several alternatives for passwords, including:
- Biometric authentication: widely used as fingerprint readers in smartphones and physical verification points at buildings;
- Social media authentication: where you use your Google or Facebook IDs to authenticate you with a third-party service;
- Multi-factor authentication: where more layers of authentication are added using devices or services, such as token authentication using a trusted device;
- Grid authentication cards: which provide access while using a combination PIN;
- Push notifications: These are usually sent to the user’s smartphones or encrypted devices;
- Digital certificates: cryptographic files stored locally on the machine or device.
Wolt, a Finnish food-delivery site, is just one example of going passwordless. “The user registers by entering their email address or phone number. Login to the app occurs by clicking the temporary link in the user’s inbox. The app on the user’s mobile phone places an authentication cookie, enabling the user to continue from that device without further authentication,” said Erka Koivunen, CISO at F-Secure. In this case, the service provider controls the authentication, allowing it to set expiration times, revoke service, and detect fraud. The service provider does not need to count on the user’s commitment to keeping passwords.
Passwordless tech is not inherently costly but may take some adjustment, explained Ryan Weeks, CISO at managed service provider Datto. “It is not necessarily costly in terms of monetary investment because there are a lot of easily accessible open-source alternatives for multi-factor authentication that don’t require any sort of investment,” said Weeks. However, some companies believe passwordless tech may cause their employees productivity friction. Koivunen also dismissed that zero trust models are unaffordable for startups. “Zero trust recognizes the futility of forcing users to authenticate themselves by presenting something they should keep a secret. Instead, it prefers to establish the user’s Identity using some context-aware method,” he said.
Zero trust goes beyond authenticating users; it includes the device and the user. “From a zero-trust perspective, there is an idea that a continuous authentication or revalidation of trust is occurring. Therefore, passwordless in a zero-trust model is potentially easier for the user and more secure as the combination of the ‘something you have’ and ‘something you are’ factors are more difficult to attack,” said Datto’s Weeks. Larger companies, like Microsoft and Google, already offer zero-trust technologies. But investors are also eyeing smaller companies with zero trust for growing companies. Axis Security, a zero-trust provider that allows remote employees to access their company’s network, raised $32 million last year—beyond Identity raised $75 million in funding in December. And Israel identity validation startup Identiq raised $47 million in Series A funding in March.
Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money, and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing, and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “ARTICLE” at checkout to get 20% off tickets.
Leave a Reply