Long before the invention of the internet, passwords have been the primary means by which users can verify their identity and gain access to digital services. As archaic as they are, this remains the case today. Indeed, according to Yubico’s Global State of Authentication survey of 20,000 employees, more than half use a username and password to log in to both their personal and work accounts.
However, passwords are far from a secure authentication method. The majority (81%) of hacking-related breaches stem from weak or reused passwords from cyberattacks like phishing. Once they have access to passwords, cybercriminals can easily circumvent outdated multi-factor authentication (MFA) systems, such as SMS-based verification, and gain entry to sensitive information. This highlights the growing consensus among security experts: passwords are an inherently flawed means of authentication and need to be left in the past once and for all. But what realistic solutions are there to replace passwords in the future?
The importance of secure authentication in the channel
Implementing secure authentication methods is vital for organizations across all industries, particularly those handling highly sensitive data, managing critical infrastructure, and subject to rigorous regulatory compliance, such as healthcare and financial services.
Channel partners working with organizations in these industries are no exception here, given the vast amount of customer data they handle, along with their access to vendor systems. Inadequate authentication tools, which are highly susceptible to cyberattacks like phishing, expose both data and systems to cybercriminals, leading to repercussions, such as data breaches, financial losses, and reputational damage.
Advanced phishing and sophisticated attack techniques are on the rise, which, coupled with the threat of AI-driven cyberattacks, exacerbate concerns for channel partners. Threat actors are taking advantage of AI tools to launch more attacks and improve the chances of success and impact of their efforts.
For example, bad actors are exploiting AI's ability to clone voices and likenesses from audio and video clips or images found online, known as vishing. Combined with tools that mimic caller ID, cybercriminals can fool targets by calling them and impersonating a family member, friend, or loved one seeking urgent assistance. With this technology making life easier for attackers, threat actors require less skill to carry out successful attacks against channel partners.
Moving on from passwords for good
Given the recent rise of sophisticated, modern AI-driven cyber threats, there has been a clear shift in how organizations view authentication and security. To protect both themselves and their employees from cyber threats, a global transition away from passwords and other outdated and insecure authentication methods, such as legacy forms of MFA, has taken place. As an alternative, enterprises across all sectors are moving towards stronger, more cyber-resilient technologies, in the form of phishing-resistant, passwordless solutions like passkeys.
For instance, last month, the UK government announced plans to roll out passkey technology for its digital services later this year, transitioning away from current SMS-based verification systems. The move is set to offer users a more secure authentication option, while also providing the government with a cost-effective solution that could save it several million pounds annually, as well as being key in transforming cyber resilience on a national scale.
Now, it is the turn of channel partners and managers to do their utmost to protect their organizations, vendor partners, and customers to the best of their ability.
The future of secure, phishing-resistant authentication: device-bound passkeys
Given the threat landscape, channel partners must step up their digital security, using more reliable, phishing-resistant MFA methods. This is where passkeys, such as device-bound passkeys, come in – quickly emerging as the de facto authentication solution to replace passwords and legacy MFA. These solutions operate by using something you know (a PIN) alongside something you have (a hardware security key), which is inserted into a device and physically touched, enabling users to access their accounts.
When compared to authentication offerings like passwords and even two-step authentication, hardware security keys are viewed as a far superior alternative, since they eradicate the need for users to recall or manually enter long character sequences that are difficult to remember. Instead, they seamlessly authenticate users via cryptographic security keys stored directly on a device, like a physical security key.
Passkeys stored on physical devices like security keys provide a superior level of security for channel managers since they not only require users to prove possession, but also their presence to log in. This inhibits passkeys from being shared or copied across the cloud, while remote attackers are unable to intercept or steal them, meaning only the key holder can gain access to their accounts. For instance, even if a user’s credentials are compromised, phishing-resistant device-bound passkeys prevent hackers from accessing information without having possession of the physical security key.
Utilizing high-level security like this does not just help channel partners maintain robust cybersecurity practices and enhance their cyber resilience. It also ensures compliance with regulations such as PCI DSS 4.0 and NIS2 – a vital consideration for channel partners in an ever-evolving regulatory landscape.
By implementing phishing-resistant MFA-like device-bound passkeys for all employees, channel managers can begin developing phishing-resistant users, enabling passkeys to fulfill their potential. Establishing such users is a proactive strategy channel partners can take to eradicate phishing threats by removing all phishable events from the user lifecycle.
To successfully achieve this, enterprises must implement phishing-resistant MFA for employees and establish secure, phishing-resistant processes for account registration and user recovery across the board. Purpose-built, device-bound passkeys provide the foundation for this high level of security.
-
LastPass just launched a tool to help security teams keep tabs on shadow IT risksNews Companies need to know what apps their employees are using, so LastPass made a browser extension to help
-
Microsoft patched a critical vulnerability in its NLWeb AI search tool – but there's no CVE (yet)News Researchers found an unauthenticated path traversal bug in the tool debuted at Microsoft Build in May
-
Cybersecurity complexity and the channelIndustry Insights Channel partners must tackle cybersecurity complexity to drive outcomes and build trust
-
AI breaches aren’t just a scare story any more – they’re happening in real lifeNews IBM research shows proper AI access controls are leading to costly data leaks
-
The rise of GhostGPT – Why cybercriminals are turning to generative AIIndustry Insights GhostGPT is not an AI tool - It has been explicitly repurposed for criminal activity
-
Think DDoS attacks are bad now? Wait until hackers start using AI assistants to coordinate attacks, researchers warnNews The use of AI in DDoS attacks would change the game for hackers and force security teams to overhaul existing defenses
-
Okta and Palo Alto Networks are teaming up to ‘fight AI with AI’News The expanded partnership aims to help shore up identity security as attackers increasingly target user credentials
-
Despite the hype, cybersecurity teams are still taking a cautious approach to using AI toolsNews Research from ISC2 shows the appetite for AI tools in cybersecurity is growing, but professionals are taking a far more cautious approach than other industries.
