ncidents of call center fraud are on the rise according to various call center fraud reports. This is partly due to the migration of scammers from online channels, where breaches are becoming more difficult to commit, to the largely unprotected and vulnerable environment of call centers.
The evolution of authentication has been somewhat slow across organizations when compared to the fast changing technology and cybersecurity threat landscape.
The increasing complexity of systems is leading to a need for more secure authentication methods. Although passwords are a ubiquitous form of verification, allowing users to access applications and perform actions within a system, there have always been problems with this method. Creating secure passwords and managing them properly is difficult when users have dozens of different accounts and log in from multiple locations throughout the day.
An answer to the problem may be found in password-less authentication methods. According to a survey by Wakefield Research, 69 percent of organizations are considering phasing passwords out in the next five years, opting instead to take advantage of passwordless models to increase security and make logins easier for both employees and customers.
Basics of Passwordless Authentication
The idea of a passwordless authentication model is straightforward. Instead of entering credentials consisting of a username or email address and a password, users verify their identities with an alternative method. The change is meant to address the problem of passwords standing in the way of reliable security, workflow efficiency and even customer retention.
Options for password-less authentication include:
- Biometrics – Already in use in smartphones and other devices, biometric logins consist of a unique biological identifier, such as a fingerprint. However, until biometric technology improves, this may not be the most secure choice unless combined with other options.
- Email – Upon entering his or her email address, an existing user is sent an email with a verification link. Clicking the link completes authentication and allows access.
- Token or one-time code – Instead of a link, users receive a token or code they then enter into the website or application. This code is attached to every action taken during a session and decrypted as users interact in real time before being destroyed when the session is terminated.
These new authentication options eliminate the need for passwords and the potential security risks associated with poor password management.
Passwordless Authentication Benefits
Getting rid of a familiar form of identification to increase security may seem counterintuitive, but passwordless authentication has the potential to increase security for both your customers and the users within your organization. Making the switch addresses common problems with password security:
- Weak passwords
- Poor password management
- Accidental use of default settings
- Using the same password for multiple accounts
- Not changing passwords regularly
Many of these issues result from “password fatigue,” which is experienced by users asked to create passwords for every website and application they use and enter these passwords numerous times throughout the day. This often leads to apathy in password creation and can threaten system security.
Passwordless authentication is also more convenient. Customers don’t like juggling logins for dozens of sites and tend to abandon those requesting the creation of yet another account. Employees required to log into multiple applications during the course of standard workflows are less efficient, and tasks slow down even more if a password is forgotten and needs to be reset. When no passwords are required, all users enjoy a more seamless experience.
Passwords Elimination in the Evolution of Authentication
Password fatigue explains the phenomenon of passwords becoming weaker as a user is asked to create more accounts. After a while, users no longer care if the password is secure and will use anything just to be able to gain access. This can create a serious security problem in your system. Weak passwords, use of default login options and stolen credentials account for 63 percent of breaches (Verizon). If even one customer’s account is hacked, all the data stored by your company is at risk. The same is true for employee accounts across critical business applications.
Customer retention rates are also affected by password fatigue. Seventy-five percent of customers stop using a service or website if they need to perform a password reset, and 30 percent abandon their hopping carts if checking out requires account creation. This is of particular concern when it comes to first-time or one-time customers. You could lose out on lucrative sales during popular shopping seasons or drive away customers who may otherwise have become loyal shoppers if you don’t have an alternative way for them to log in.
In addition to these considerations, your organization could benefit from passwordless authentication if:
- Employee password management is poor
- Workflows continue to hit bottlenecks due to excessive login requirements
- Your system network is expanding to include more applications
- A significant number of customers are abandoning carts at checkout
- Password security problems have led to breaches in the past
There may be some situations in which it makes sense to retain the use of passwords or use a method like multi-factor authentication instead. Base your decision on your company’s needs and the unique security requirements of your network.
Passwordless Model in the Evolution of Authentication
If you decide to make passwordless authentication part of your security protocol and authentication evolution, the first step is to research the options to find a reliable provider. Request demos from vendors to see how the authentication process works, and get all the details you can about the security of the process.
Implementation details are specific to providers, but your chosen vendor should work with you to help you set up your passwordless login system. Let all users, both employees and customers, know you’ll be making the switch, and provide clear instructions for use of the new system.
Once passwordless authentication is in place, monitor performance to determine if it delivers the desired results. You should see a drop in shopping cart abandonment on the customer end and an increase in workflow efficiency for your employees.
The rise of passwordless authentication may usher in a time when no system or application requires a password for access in the evolution of authentication. Companies looking to streamline workflows, update security and offer an alternative to customers experiencing password fatigue can benefit from switching to passwordless options. Since changes in technology inevitably bring new security concerns, it’s time for organizations to start adopting alternatives to outdated authentication methods and bring identity management strategies up to date.
Collect All Company-Owned Devices
Company-issued smartphones, tablets, laptops and other devices should be turned in before an employee leaves for good. These devices not only contain sensitive information but also represent a significant monetary investment. Be sure to collect all other items used for data transfer and storage, such as memory cards and flash drives, to prevent confidential information from leaving the premises.
Retrieve keys and security cards to ensure employees can’t gain physical access to the building once their tenure is over. Being able to get in and out of the office without checking in or making an appointment literally leaves the door open for serious breaches if the conditions of departure are less than cordial.
Terminate Personal Device Access
Revoke Network Access
identity. Don’t be tempted to reuse the account with different login credentials for the next person taking over the position. A new employee may not need the same level of access even if he or she performs similar duties, and rolling accounts over may cause problems with “privilege creep,” in which an employee accumulates more access rights than necessary to perform his or her job.
Access to company applications and third-party cloud-based programs used by your business for communication and collaboration must also be revoked. Change any common passwords for these applications or other system tools, and make sure related apps are wiped from personal devices. If an employee-owned device has its own identity within your system, remove this privilege when the person leaves.
IAM software makes network access management much easier by centralizing all information about each employee’s credentials, level of access and privileges so that you can be sure all points of vulnerability have been addressed and don’t have to search through every application to terminate access.
Remove Employee Data from Systems
Follow a Set Procedure Every Time
Compliance is an important issue for any business handling sensitive information, interacting with clients and customers or conducting transactions. You may be subject to additional compliance rules depending on the industry in which you operate. Proper offboarding is necessary for compliance, especially in cases where the information you store could be stolen, sold or publicly distributed by employees with malicious intentions.
If your IAM solution doesn’t already keep detailed logs, enable the option or upgrade to a system with this capability. Logs can be used in the event of a compliance audit to prove you followed your offboarding procedure correctly and no loose ends were left to create vulnerabilities. Furthermore, logs are necessary for any critical investigation as a result of security policy violations and data breach cases.
Following the same offboarding procedure with every candidate reduces the risk of accidental or deliberate data theft and eliminates as many points of vulnerability within the system as possible. Make offboarding part of the process of managing the employee lifecycle to avoid the potential for serious security problems down the road.
Identity Management Institute® (IMI) is the leading global certification organization serving professionals in identity governance, access management, and data protection.
Since 2007, IMI certifications help global members advance in their careers and gain the trust of the business communities they serve with their identity and access management skills.
SUBSCRIBE TO IMI NEWSLETTER
Identity Management Institute
20555 Devonshire Street, # 366
Chatsworth, CA 91311, USA