Chief Security Officer at BeyondTrust, overseeing the company’s security and governance for corporate and cloud-based solutions.
It’s a new year and a time for resolutions. Some people will resolve to eat better or exercise more, and others shed bad habits. For me, I resolve to go passwordless (or as much as possible) in 2023. The million-dollar question is how can I, or anyone else, actually achieve this and not compromise security? In fact, the end goal should be to improve your security and lower the risk of being hacked.
To get started, let’s first consider your passwords. What are they and where do you use them? To answer this, there are three primary locations where we use passwords:
1. Operating Systems: These are typically used to log into the operating system after booting, rebooting, changing sensitive settings or installing updates.
2. Websites: Any secure website from banking to commerce may require a password to authenticate identity. Security-conscience websites have added one form or another, including multifactor authentication or basic two-factor authentication.
3. Locally Installed Applications: Some locally installed applications may require a password to access data or perform sensitive operations. These passwords are typically placed on the file like a spreadsheet or for a local client that authenticates across the network in a client-server architecture.
With these in mind, the technique to remove passwords varies based on your personal technology stack. Please consider:
• Microsoft Windows: Microsoft Windows users have the ability to store passwords and secrets within their browser (e.g., MS Edge and Google Chrome) and within Microsoft Hello technology that uses biometrics for identity verification. Microsoft Hello can be used during all aspects of runtime, including when the operating system boots.
• Apple Mac: Apple Mac users can leverage Apple’s touch ID technology to access Apple’s iCloud Keychain for password storage and automatic retrieval. It’s important to note that this only works during the normal runtime of macOS. A password is still required during the initial macOS boot process.
• Android: For Android users, the fragmentation of the Google Android market has left passwordless technology up to third-party vendors and Android phone manufacturers. Although the base operating system APIs (application programming interfaces) support passwordless implementations, a universal approach for password managers or biometrics isn’t present.
• iPhone/iPad: iPhone or iPad users can leverage a myriad of built-in technology from Apple, including pin codes, touch ID and biometric facial recognition, depending on the phone or tablet model. Similar to Macs, pin codes are typically required on any reboot, sensitive updates or application purchase (unless biometrics is explicitly turned on). During normal operations, touch ID or biometrics can manage passwordless authentication. In addition, Apple has created an application for Windows to share browser-based passwords when a user has an iPhone and a Windows computer.
• Generic: Regardless of device and vendor, third-party solutions have filled the gap to create passwordless solutions when manufacturers have fallen short or you use a mixed variety of vendors. These are password managers, biometric devices using industry standards like FIDO and privileged-access management solutions. These solutions support installations on a wide variety of devices and operating system versions in order to synchronize passwords or provide password obfuscation via injection to minimize exposure.
With these basics in mind, let’s apply your platform to operating systems, websites and applications. Most users have a mixed ecosystem, such as a Windows computer and an Apple iPhone. Based on each manufacturer’s solutions, you can use Microsoft Hello via biometrics for authentication on the device and share passwordless technology using iCloud Keychain across your iPhone and Windows browser (MS Edge or Chrome). For Android and Windows users, third-party password managers provide the best approach for sharing passwords across their devices while leveraging Microsoft Hello for their Windows devices.
If you have a platform bias (like me) and try to use all one vendor (like Apple technology), you can eliminate almost all of your passwords with native technology built into the devices without licensing any third-party solutions. iCloud Keychain allows you to sync passwords across all devices and auto-inject them into the operating system, browser and applications when a password field is detected. If you take advantage of the technology to recommend a complex unique password for every entry, you can maximize your protection and lower risk by observing security best practices and having a unique password for every instance.
It’s important to note that Apple isn’t the only vendor that offers these capabilities—many third-party solutions, including enterprise-ready privileged-access management solutions, contain these capabilities for businesses. Apple, however, is the only vendor that offers it across all devices; Microsoft doesn’t have a phone-based operating system and relies on Android for its mobile phones. In these cases, a third-party application has been added to manage passwords and achieve passwordless management goals.
For me, achieving a passwordless goal is being made easy by my preferred vendor. One at a time, I’m changing all my passwords for every site and application I visit to complex versions and allowing my password manager to store the solutions. When I visit a new website, for example, I don’t know the password; rather, the operating system and password manager automatically inject it and allow me to authenticate without a single keystroke. My biometrics validates my identity and the software performs the rest.
If you’re tired of remembering passwords, too, and want to achieve a better level of security for your daily online habits, consider going passwordless. The only caveat is that you may need newer devices and operating systems (at a cost) to achieve these goals natively. If you have older systems, third-party applications can help achieve similar goals via software but without the benefit of having built-in biometrics. You’ll essentially use one master password to secure all other passwords. This isn’t a bad approach, but with modern technology, there’s a better way.