While people are always your largest attack surface, 2020’s work-from-home (WFH) workforce has magnified this threat exponentially. Remote employees are often distracted, multitasking, many with small children at home, all the while accessing corporate resources frequently on their own devices. Plus, home offices simply do not have the same physical security as an office environment. Not surprisingly, bad actors are aggressively seizing this opportunity, with phishing being the attack of choice.
With WFH here to stay, it is IT’s challenge to strike the right balance between workforce security and a frictionless experience. There are many ways passwords inject friction into the typical workday. Some examples include:
- An onerous password policy that requires a 10+ character password with upper case, lower case, and special characters that must be changed frequently
- Hybrid IT environments which require the same network password to be re-entered over and over again to access different apps, or worse, different passwords required for different apps
- Non-self-service password resets
All of this friction promotes employee non-compliance with password policies, which defeats the original objective of improved security. Indeed, a recent Entrust Datacard Pulse Survey of 1,000 US remote workers revealed that 60% had three or more passwords to access different work systems and, to cope with this, 42% cited writing passwords down and 30% reported reusing and/or recycling passwords. More alarming, 24% of participating remote workers cited clicking on a link in a COVID-related email from an unknown sender, despite the vast majority claiming to know what phishing is.
Going passwordless is arguably the best way for IT to improve workforce security and productivity. After all, removing the password effectively stops all password hacks. But just replacing the password with another authenticator like FaceID still means a single point of failure. With credential-based passwordless access, a digital certificate provisioned onto the worker’s phone transforms the phone into their trusted workplace identity, wherever that workplace may be. When the phone is unlocked with the worker’s fingerprint or facial match, and in close proximity of their workstation, they are automatically logged in and signed on to all of their applications. When they walk away from their workstation with their phone, they are automatically logged off their applications and out of their workstation.
COVID or not, credential-based passwordless access with SSO is seamless, secure, frictionless, and essential for this new era of remote work. For more information and to learn about Entrust Datacard’s passwordless solutions, access our Enabling Digital Life: Working Remote webinar or visit our website.