Pulse Flash Read: Password(less) Passwords are rubbish, aren’t they?  We’ve all asked for someone else’s Netflix login, only to break out in a cold sweat when you see that their password is something like: basketball (yeah, they finally signed up to watch The Last Dance). And, let’s be honest, you didn’t feel great about them sending it over iMessage either. I’ve literally turned down free access to Netflix because of this. And cybersecurity experts like NordPass agree: they’re sick of telling us how rubbish passwords are.  Letting humans stay in control of those crucial windows of access that passwords reveal will always be problematic. The bad actors awaiting in that password-generated web traffic are experts at exploiting human faults. Take the recent Twitter hack: Two-Factor Authentication (2FA) seemed like a great extra layer of security until a fatal flaw in the thinking was revealed: all it took was some social engineering and the implicit trust users feel with 2FA was turned into a classic bit of phish bait. What if the answer is in the problem? Password-related attacks happen when human meets internet. Can we remove either or both of those issues? Turns out we can. Hardware Security Modules (HSMs) are secure pieces of hardware for containing digital information, lock and key in a discreet piece of machinery that fits neatly on your desk. (Actually, they’re pretty small nowadays, the main issue might be losing it, SD-card style.) They generate truly random keys, unlike computers, that exist outside of the internet’s nefarious reach, providing what’s known as Root of Trust (RoT); trusted nodes within a cryptographic system, a critically important element for any IoT network (and much more reliable than human secret-keepers). If you’d prefer not to ship out HSMs to all your remote staff, there are simpler options that, while not as cloaked as HSMs, at least bypass the password problem. Both AWS and Microsoft Azure offer OTP (One Time Password) access via SMS (yes, it might seem annoying at first but it takes less time than resetting that password we forgot 30 seconds after creating it), plus others such as Okta, OneLogin, Acceptto and Hitachi ID offer robust solutions. We produced a white paper with Microsoft you can read here about IT execs’ experiences with FirstLine Employee remote login.  Magic links are another option. San Fran-based Magic (formerly Fortmatic) promises ‘customizable, future-proof, passwordless login with a few lines of code’. All you have to do is embed Magic on your site and apps, clients receive an email link they click to sign in, and that’s that. The link, like that 5 of hearts you were watching, vanishes and the hijacking opportunity along with it. (Incidentally, Magic uses HSMs to handle your data.) Here’s a guide of how to add Magic to your apps, including a more in-depth discussion of both HSMs and Magic. The demise of the password comes with an acceptance of our own limitations. We forget. We enjoy simplicity. We share. So, accept that your team are human and find a password alternative that fits your needs. Because if you don’t, those clients, and your investors, might end up being another thing you’re scrambling to retrieve. What startups/tech are you excited about in the passwordless space?

Top Answer : This is our first editorial piece by our community editor Aaron Towlson. Would love your thoughts on it and if you'd like to see more of these to spark discussions  . Thanks!

Black Charger
Software
This is our first editorial piece by our community editor Aaron Towlson. Would love your thoughts on it and if you'd like to see more of these to spark discussions  . Thanks!
1 upvotes
Black Charger
Software
 - would love your thoughts here as well. Thanks!
0 upvotes
Blue Processor
Software
Password less is our future for sure, even things like password managers still come with a master password to secure all the usernames and  passwords a person simply cant remember them all! From an older report - the average total cost of a data breach in the U.S. is over $8M.   https://www.all-about-security.de/fileadmin/micropages/Fachartikel_28/2019_Cost_of_a_Data_Breach_Report_final.pdf I recommend using something like a YubiKey - provides strong second factor, password less authentication and built on open standards. These are much easier and safer than auth apps, Windows and Mac and supported along with a long list of apps and services. Yubico also offers a solution for HSM - YubiHSM2 , much lower cost of entry and the device is smaller compared to traditional HSMs.
1 upvotes
Black Charger
Software
 would love your thoughts on this and if reads like this would be helpful in the community to spark discussions.
0 upvotes
Black Monitor
Health Care and Social Assistance
Although complete elimination of passwords is still far off, reducing reliance on passwords for authentication is technically feasible. However, even in moderately complex computing environments, it may still not be feasible to eliminate passwords entirely from an environment. As life continues to increasingly become digital, passwords start to become an authentication liability to an organization. An interesting aspect of authentication security is a very human tendency – most hackers will follow the path of least resistance when looking for system vulnerabilities. Removing passwords from authentication schemes makes sense, especially considering some of the evolving authentication technology available like mobile device authentication, biometrics, behavioral analysis and tokens. One approach may be to limit user interaction to a single authentication transaction and to use authenticated identity services to allow users to connect and use systems based on an authorized session as opposed to a password-based authentication. The most important aspect of secure authentication is that the more factors that exist between a user and sensitive data the less likely sensitive data will be compromised. As a result, the elimination of passwords may not be as critical as erecting as many non-intrusive authentication check points as possible.
0 upvotes