Bye bye password – an easy way to to modern authentication with cidaas

Learn how organizations can move their employees, customers and partners from a traditional user ID and password to simpler and more secure authentication methods. Bye bye password – a simple way to modern authentication with cidaas and why this way is very important for everyone’s security.

Let us not fool ourselves

Passwords have a long history and a PIN (Personal Identification Number) is nothing else. They are used to authenticate the user in conjunction with predefined or self-created user IDs or, more commonly today, a communication address such as an e-mail address or mobile phone number. The latter have the advantage that these user IDs are much easier to remember and can also be used for communication. The password-based authentication method is basically also easy to implement. Unfortunately, the secure storage of this data and the management of authentication is somewhat more complex.
Until recently, every device you used and every portal – if you’re honest, you still do today 😉 – required a user ID and, above all, a password from its users to set up a user account.

What have we achieved in IT with this?

• A supposedly simple, functioning login
• A lot of frustration for users who can’t remember passwords and have to go through cumbersome password reset processes
• Users who write down their passwords/PINs in insecure places
• Stylistic flourishes, such as password managers, with which users supposedly manage their passwords or PINs securely. It is important to know that a password manager can also be the target of hacker attacks. Access to the password manager is not necessarily secure and the encryption of user IDs is always bidirectional because the passwords can only be used in plain text
• A large number of daily hacker attacks that (want to) hack numerous portals with clever user ID + password combinations

(New) user authentication methods

Neben dem Passwort wurden daher in den letzten Jahren eine Reihe weiterer Authentifizierungsverfahren entwickelt, die von One-Time-Passwörtern (OTP) über Push-Verfahren auf das Smartphone bis hin zur Gerätebiometrie und FIDO2 reichen. Viele dieser Verfahren werden bereits heute als Multi-Faktor-Authentifizierung eingesetzt und sind daher vielen Nutzern bereits bekannt. Die Verfahren unterscheiden sich im Wesentlichen dadurch, dass man sich nicht mehr auf den Faktor Wissen, sondern auf die Faktoren Besitz und Inhärenz und insbesondere eine Kombination beider Faktoren verlässt. Diese Faktoren erhöhen nicht nur die Sicherheit, sondern schaffen auch eine gute und konsistente Benutzererfahrung durch eine bequeme und einfache passwortlose Authentifizierung.

For many companies, the question now arises as to how to establish modern authentication and enable users to switch from passwords to FIDO2, for example. Even if the introduction of modern authentication procedures depends on various factors and differs depending on the company, use case and target group, a basic approach can be defined for the introduction.

Many companies today rely on a classic login with user name and password, with the user name being the e-mail address in the vast majority of cases.

1. Offering modern authentication methods in addition to the classic login with a password enables a gradual introduction in which initial experience is gained and users can familiarize themselves with additional modern authentication methods. If multi-factor authentication is already in use, these methods can be used directly as an alternative, e.g. an OTP by email or a push message on the smartphone.
2. The configuration of modern authentication methods can be easily integrated into the existing login process in order to inform users of the new authentication options and to onboard them.
3. After a transition period in which users have gradually switched to modern authentication methods themselves, the aim can be to switch to only modern authentication methods. The phasing out of the password can also take place gradually, e.g. by offering login with a password as an option below the new modern authentication methods.
4. The use of “only” modern authentication procedures and the deactivation of the password are probably not yet conceivable for many companies today, but the final step of deactivating the password should also be considered in the vision. The switch-off of the password-based login should be announced with an appropriate lead time in order to motivate the last users who have not yet switched over to use modern authentication methods.

Always the same challenges

Sign-up

Some organizations see access for their customers as a high risk that registration becomes too time-consuming or complex, which increases the churn rate (bounce rate). For other organizations, this may not be a concern because user accounts are a necessary evil that must be used as part of the overall service offering. For all companies, however, the risk of hacking with user ID and password-based accounts is incredibly high and it is only a matter of time before unauthorized access is possible.

Selection of alternatives

Depending on the current implementation of user management, there are different alternatives for implementation.

Very often, companies express the wish to introduce “2-factor authentication” in order to make accounts more secure or to use appropriate captcha technologies in the customer environment to at least make simple hacker attacks more difficult. We refer to this approach as the “on-top approach” because it does not substantially change anything, but merely uses additional procedures.

However, this “on-top approach” has a number of limitations because

1. User authentication is still carried out with user ID + password,
2. Usually only one or two alternative methods can be implemented for 2-factor authentication,
3. The implementations usually seem bulky and are quite expensive if additional hardware is required.

In fact, the selection of alternatives should follow the following principles:

1. In which direction are authentication methods developing, which protocols and technologies do device manufacturers, for example, offer today?
2. What user experience do your different users have with the authentication methods – is it really enough to offer one or two alternatives?

A very important point, however, is that your users no longer use user ID+ password as their primary authentication method, so that hackers cannot work their way through your user administration using user lists from dark channels.

Communication concept and user self-services for the changeover

Changing familiar processes is not always easy. For this reason, every changeover also requires a simple and clear communication concept implemented in the software.

Clear lines

Motivate your users to use alternative verification methods and only make the password available as a second option for multi-factor authentication.

1. Use common and intuitive user verification methods during registration. This allows users to set up their verification methods successively.
2. Do not force the setting of a password – use the password as an alternative method for 2FA, set up by the user.
3. Allow your users a significant choice and configuration of verification methods – for sure: a user will not activate all methods.
4. Also determine the verification methods to be used based on the criticality of the applications.
5. Motivate the user to set up a new and modern verification method when logging in, and remind them to do so if necessary.

Conclusion

Modern authentication methods such as FIDO2 or Passkeys are the future and will replace traditional login via passwords over time. In addition to users choosing weak or predictable passwords, the increasing number of data leaks and phishing attacks have also become a problem and a major risk for passwords.

It is important for companies today to take the step towards modern authentication and select suitable authentication methods, depending on the use case and application, in order to achieve the highest level of security and user-friendliness.

It is clear that we all still use passwords here and there these days, whether in a private or business environment – and yes, sometimes they are the same passwords. But we need to realize that there are already better and more secure alternatives to using passwords or that we can at least increase security through multi-factor authentication i.e. by using a second factor for authentication! We at cidaas are therefore committed to passwordless login alternatives!