Did you know that today, May 7th is World Password Day? Really, do we need another day to remind us that passwords are all around us. Haven’t we had enough?
As a Gartner analyst that spends quite a bit of time focusing on identity and authentication (IAM); there is a lot to be said about passwords. I won’t spend any time highlighting all the joys (not!) about passwords.
In my previous blog, here I talked about how that this is the time to review, refresh and revitalize your access management and authentication approach.
Perhaps, as it is World Password Day, we could focus on how we could start to move away from passwords.
We discussed the problems with passwords, and touched on some options for going passwordless.
From leveraging FIDO tokens, such as Yubikeys, to Google Titan keys, that can provide clients (and users) with token based methods. Mobile phone-based methods; such as leveraging Google Android ability to “Turn your phone into a Security Key”
Then there is biometrics. From mobile device-based fingerprint readers, to facial recognition, many users have rapidly adopted these methods.
And when it comes to laptops, Microsoft has provided us with some great devices such as their Surface Tablets, and Laptops; both of which offer Windows Hello, where users can use facial recognition instead of passwords.
What does all of this mean? The foundation for passwordless authentication is quickly arriving. But we need to see the standards (such as FIDO) become adopted by hardware and software makers alike.
So, we covered some authentication methods listed above….what about actually eliminating passwords in back-end directories/data stores? Well, that is a whole other issue. Yet, approaches such as FIDO, which leverage Public-Key technology, offer us some hope. Hope that password data stores could be replaced with public keys, which, if exposed don’t pose as a massive issue (versus sensitive passwords; public keys are, well, meant to be public!). Damage could be mitigated if user private keys are kept secure (thus storing these keys in protected hardware and software execution environments). Now we could go on here, and get really deep into the land of PKI and crypto-key management, but I will spare you (feel free to book some time with me, and we can talk more about it ).
This remains a very exciting area of discussion, but overall, I am pleased that we are finally building a good foundation to move away from passwords. So, I guess I should end this with….saying Happy
Password Passwordless Day everyone!
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.