<img alt="" src="https://secure.norm0care.com/164647.png" style="display:none;">
Breaking News: Onegini and iWelcome are now OneWelcome | READ PRESS RELEASE  

How to move away from passwords

Wouter de Wit
June 1, 2021 at 9:37 AM

As many of you already know, the market is moving away from passwords (if you haven't, read our previous blog to find out why). Looking at Gartner's Emerging Trends Impact Radar, passwordless authentication is really picking up and expected to happen within 1-3 years. This means this is the time to reflect on how and when you will move away from passwords rather than if. It is also the time to decide what alternatives you want to implement. There are various options available ranging in security maturity, availability and Total Cost of Ownership. Think about One-time Tokens (regardless of delivery method), Biometric authentication, PKI setups and even options for continuous behavioral identification and fingerprinting.

Is ‘passwordless’ truly passwordless?

Now we know 'passwordless' is a buzzword and you can ask the question if some of the hyped alternative methods are truly passwordless. For instance, if you are required to setup a password (or a PIN for that matter) before you can enroll in an advanced biometric authentication mechanism, and that same password is used for resetting your biometric authentication mechanism, what then is the value of that biometric method and are you really passwordless? As defined by STORK and implemented by the eID framework, an authentication method is only considered Substantial or High if, amongst others, the issuing process and issuing body are properly sanctioned and trustworthy. Essentially, this means that once you issue a 'strong alternative' to a password in a process that involves the usage of a password, you can't claim a high level of trust, nor being 'Passwordless'.

Passwordless alternatives

At iWelcome we obviously offer passwordless alternatives by means of One-Time Tokens in the form of 'magic links' sent to a users validated email address. But that is just a basic, low level of trust option. So we also offer iWelcome Mobile Identity (IMI), which allows for authentication by scanning a QR code or by confirming a push notification. Both as standalone options or as a 'second' factor in the authentication process. This can be configured in addition to, or better, as complete replacement of the password. We offer registration processes in which you can go truly passwordless including the ability for a controlled, highly secure Identity Verification process in which you enroll your IMI account without the need to set a password and we only do that when you, for instance, pass a number of checks against your Bank, eID, Internal data stores etc.. so you are truly passwordless and have a high level of trust.

Passwordless – invasion of privacy?

But that is 'just' technology. And technology is not the most important thing and can be delivered by other vendors as well. What is important, is the fact that we provide this technology based on our European heritage. We take our European mindset and cultural heritage to provide true passwordless capabilities based on the Privacy By Design principal.

Meaning, we will deliver capabilities that do not rely on irrevertible, unchangeable fingerprinting methodologies that do not provide privacy to a user. We will not track your every move, mousclick, keyboardstroke etc. just to be able to sign you in to a online service. We believe in data minimisation while providing maximum security and certainty on the user trying to authenticate. This may seem as if it adds friction to the user journey but in fact, it instills trust in the relationship between you and your customer. It shows the customer that you care about their privacy and that you do not need to track their every move to be able to provide your service. It also means that if worst comes to life, you don't leak a ton of data that would prevent the user to ever again go about anonymously. And being a European company, we believe in Privacy By Design, and that means users have a right to be anonymous if they choose to be, like they have in the physical world.

Passwordless – balancing convenience, security and privacy

Going passwordless is about more then just replacing the password in all your processes by something else. It is about providing your customers with a frictionless, secure set of options that balances convenience, security and above all, privacy. This means you have to balance your level of authentication based on the actions of a user. There is no need to enforce privacy violating tracking methodologies on a signed-in user that just browses your catalogue while filling up his cart. Only once that user would like to check out you enforce a passwordless step up authentication mechanism. By applying the 'just in time, just enough' authentication approach, you can provide simple, user friendly and very much privacy aware authentication to your consumers while maintaining your security.

At iWelcome we are convinced that passwords are a thing of the past. We believe Gartner when they say it may take another 1 to 3 years but we also believe there will be a lot more interest for companies that follow the European approach versus the others. That is why we continue to invest heavily in technologies like IMI, to be the best European CIAM provider with Privacy and Security By Design.

Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via marketing@iwelcome.com.

You May Also Like

These Stories on Security

Subscribe by Email

No Comments Yet

Let us know what you think