Why we’ve gone passwordless

‘Just add a one on the end,’ I hear, breaking me from my trance. 
‍
I realise that I’ve been staring at the same cover of The Gruffalo for the last five minutes. My daughter can recite that story word for word, I was thinking how many versions they could possibly make. Pop up, compact, Gaelic. 
‍
This one, it’s a jigsaw book. How does that work?

I look up.
‍
‘And then write it down,’ the older lady says, stepping back to her station behind the counter. The young trainee she left behind scrambles around and eventually finds a stack of post-it notes. She pulls one off and writes. 

Finally, the queue can start moving again. All is well. The counter staff have rotated their passwords, their systems are more secure. Of course they are. Never mind that only the day before, Royal Mail were hit by a ransomware attack, the effects of which they’d feel for weeks.

----

So, what’s the better thing to do here? The UK cyber council changed their advice a while back.

Regular password changing harms rather than improves security.

But let's go one step further. You may have heard the term ‘zero trust’. It’s a buzz word, very cool (check out our post on ZT here). TL;DL  ‘Assume a breach’ is one way of describing it. Let’s apply that thinking here:

Assume everyone knows your password. 

Then plan from there. Let’s face it, probably, someone out there does. A stack of passwords extracted from a breached site probably includes yours and has been sold multiple times on the dark web. Check here.

61% of breaches involve stolen credentials.

Passwords are rubbish. Old news, ignorance of which is feeding the bitcoin wallets of cyber gangs around the world. So, we’ve done it. It’s 2023, right? The technology is ready. 

We’ve gone passwordless.

And it’s not as scary (or reckless) as it sounds. Multi-factor authentication is about having two types of authentication, traditionally something you know (a password) and something you have (a phone). But why include the weakest factor? With the technologies in our stack we can authenticate users based on much stronger factors. 

• Something you have (that can’t be faked).
• Something you are (proven with another thing that you have).

I put some extra qualifiers in there because it’s not enough to just include a factor type, the factor needs to be irrefutable, and / or compliant with your policy. This is the basis of what people call ‘Zero Trust Authentication’. 

Device Trust. IMO the best single control you can implement to protect your business.

For example: at LeftBrain, only devices that are managed by our organisation, that are running our endpoint protection (which reports no detections or indicators of compromise), that are routing all their internet traffic through our secure web gateway tenant, that have an active session, authenticated by phishing resistant MFA, can access our company data. 

Sounds complicated? Hard to legitimately get access? Ask our staff that and they’ll look blankly at you, ‘What,’ they’ll say,  ‘you mean all that happens when I log in? But…. I just click on a button'. This is because our management systems are proactive, and our mission is to reduce friction. All our staff need to do is be the right person (themselves) and log on with the right device (their company owned one, or their BYOD mobile).

And no one needs any post-it notes. 

‍