As more businesses commit to long-term remote work, passwordless administration can help secure privileged resources and systems from credential abuse. In this article, ManageEngine Product Consultant, Srilekha Sankaran, explains how organizations can implement a passwordless approach to improve their security posture, thwart attacks, and ensure digital prosperity.
With the rapid adoption of hybrid work culture, organizations face the daunting challenge of keeping their business safe from emerging cyber threats. They are increasingly considering novel security frameworks, such as Zero Trust, to reinforce their security perimeters; but even with such advanced frameworks in place, passwords happen to be the last line of defense.Â
Despite their versatility in securing access to critical assets, passwords are the crown jewel of cyberattacks. In addition, privilege abuse and insider threats are becoming rampant among organizations preparing to foolproof their security strategy. Over 500 million passwords are known to have been compromised in the last few years, and this list grows by the day.
A recent report from HYPR and Cybersecurity InsidersOpens a new window states that 96% of respondents want to stop using shared secrets for authentication. The shift to remote work has given urgency to the search for passwordless authentication options to secure privileged resources and systems from credential abuse.Â
Passwordless Administration: A Silver Lining
Passwordless administration is the ability to perform administrative operations without requiring privileged credentials. The primary goal of passwordless administration is not to eliminate passwords but to avoid the exposure of credentials in plain-text and hard-coded formats and make it convenient for users to access critical resources without having to memorize and enter complex passwords. Passwordless administration works by the simple logic that if passwords are not exposed to users, they can never be compromised or misused.
When passwordless administration is implemented, users are automatically authenticated and assigned the appropriate privileges to access confidential assets. In other words, they are provided with all the necessary entitlements, including network authentication, to access privileged applications, databases, operating systems, virtual machines, and more, which requires multiple levels of authorization.Â
With passwordless administration controls, IT teams can ensure that the access to privileged information systems is secure and that credentials are not shared or reused, which means users will not fall prey to phishing, brute-force, or social engineering attacks. Additionally, with this approach, user authentication data is never stored within the end-user systems and browsers, which offers an additional security advantage.
Gartner has predicted that by 2022, passwordless mechanisms will be on a tear with 60% of large and global enterprises as well as 90% of midsize enterprises.
See More: What Is Password Management? Definition, Components and Best Practices
Is Going Passwordless Still Impractical for Enterprises?
Although passwordless controls present a more reliable and secure method of IT administration, enterprises face two big challenges when switching to a passwordless environment: budget and migration complexities. The migration process involves the installation of biometric hardware, which demands significant initial capital. Migration also requires moving away from old-school and legacy security mechanisms that deal with passwords, which may interfere with organizations’ diurnal operations.Â
Unlike biometrics, which requires a margin of error, the binary nature of passwords keeps the authentication process free from biases. Passwords are still the primary form of authentication, and the most effective, so it’s difficult for passwordless alternatives to eradicate the usage of passwords. Albeit there is room for constant improvement, the effective management, secure storage, and periodic rotation of passwords can ensure that privileged accounts are still protected without requiring complex infrastructure.
While FIDO-based authentication controls have gained prominence over the years, they can only act as a secondary gatekeeper to privileged data. For instance, Apple gives users the ability to unlock their iPhones using facial recognition, but the technology still requires user passwords to encode the face mapping data into the device’s internal storage.Â
Even if the mapping data is lost, users can still unlock their devices using passwords.  Another common misconception tied to these controls is that they cannot be duplicated; however, biometric data is just as vulnerable to breaches. Back in 2017,  Japanese researchers warned that hackers could gain access to fingerprints from high-resolution photographs.
The best multi-factor authentication (MFA) protocols can only act as a reinforcement for conventional authentication procedures based on passwords; these mechanisms act as additional layers to secure an inherently vulnerable entity: passwords. Additionally, there are still several ways in which passwords can be breached. As a result, weak passwords are a dangerous liability to organizations and are responsible for over 80% of hacking-related breachesOpens a new window .
The use of credentials for authentication purposes forces IT teams, to not just maintain an ever-inflating database of passwords but also to keep track of them for manual resets and rotation. While password management solutions can aid in enforcing strict governance and management of passwords, these solutions still leverage stringent policies and MFA mechanisms to safeguard access to privileged systems.
After all, passwords can only authenticate users, not their intentions, so credentials must be administered effectively.Â
A Case for Privileged Access Management
Passwordless administration is an inherent use case of the privileged access management (PAM) process, which helps connect the dots between privileged session management, secure remote access, and user account management. In simple terms, it helps validate privileged users without mandating them to manually enter credentials and enables them to perform administrative actions via secure remote sessions (SSH, VNC, SQL, or RDP). This is different from passwordless authentication, which involves the approval of authentication requests based on biometrics or other attributes, such as a PIN or one-time password.
Administrative accounts are generally provided with elevated privileges and direct access to an enterprise’s classified assets, databases, and networks. However, these accounts are sometimes delegated to normal users so they can perform certain administrative functions on their local endpoints.Â
For instance, any standard Linux endpoint user may require administrative rights to perform activities such as:Â
- Install third-party software.
- Configure dotfiles.
- Transfer proprietary files via PowerShell.
- Upgrade to the latest OS or security patch.
In the use cases above, admin credentials are granted by either assigning these users a secondary admin account or making them a temporary local administrator. Such account duplications may create more attack vectors, increasing the chances of malicious activities via phishing, malware, and more. In addition, the administrative credentials of these accounts will have to be revoked to further prevent threat actors from abusing the privileges associated with them.Â
Passwordless environments make it easier to secure these accounts by enforcing the least privileges for general user accounts and elevating their privileges only when there is a requirement. This is called just-in-time privileged access, where select users are provided with necessary elevation of their privileges to perform the requested administrative tasks for a stipulated period.Â
Simply put, instead of requiring users to enter credentials for any temporary administrative task, they are trusted, authenticated, and provided all the necessary entitlements based on the validity of their requests and their current privilege levels. Once the said actions are completed, the exclusive privileges are revoked, leaving the users with their default rights.
Authentication of users might be based on standard confidence mechanisms, such as their personal passwords (and passphrases), SSO, biometrics, or MFA, and these attributes play a major part in building context for a user’s administrative request.Â
All these use cases make passwordless administration an interesting blend of least privilege, remote access, and privileged account management.
See More: How to Secure Online Identities With Passwordless Authentication
How can Enterprises Get Started?
Passwords, albeit vulnerable, are here to stay until passwordless authentication options become more robust and bias-free. In other words, organizations should implement stringent password management policies and MFA until biometric solutions are proven to be foolproof.
While personal account passwords can be protected using standard FIDO-compliant security controls, such as MFA or biometrics, organizations need to think beyond just passwords to protect privileged entities, such as service and domain accounts, endpoints, and databases.
As companies slowly transition to passwordless alternatives, they leave no passwords for attackers to breach and benefit from. Not only does this reduce the costs associated with breach mitigation, but it can also improve the overall user experience.
The key to building effective passwordless IT administration controls is to implement a unified privileged access management strategyOpens a new window . At its very core, the concept of passwordless administration can be translated into reality by completing two major steps:Â
- Identify the users who require elevated privileges to perform administrative tasks.
- Discover resources that require users to gain elevated privileges to access or modify them.
By going passwordless, organizations can improve their security posture, effectively thwart attacks, and ensure digital prosperity.Â
Is your enterprise ready to go passwordless? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!