The struggle of continually creating new and elaborate passwords may soon be no more.
“The best password is no password at all,” said CEO and co-founder of enterprise identity provider Okta, Todd McKinnon.
Speaking at the Oktane18 conference in Las Vegas, McKinnon unveiled ThreatInsight, Okta’s new contextual access management feature.
“Everyone talks about eliminating passwords – they’re not the most secure solution,” he said.
“What you really need is the complete picture. You need all of the context, not just an authentication factor, but you have to have device information, you have to have location.”
The product doesn’t eliminate passwords altogether, but rather gathers information on the device, location and network context before determining whether it is safe to login using an automated risk-based assessment.
Users are able to preset policies based on their risk tolerance requirements.
If the login request is deemed ‘low-risk’ the user is not required to fill in a password, and can instead login via a verified push.
“There is a significant amount of IP addresses that look like they could be malicious but it’s not clear – they might be okay,” said McKinnon. “We haven’t been able to do anything with these ‘grey’ IP addresses.”
“What ThreatInsight does is expose those grey IP addresses… so you can make the right decision based on your use case.
“You can have a very permissive approach because of the application you are using or protecting, or you can have a very restrictive approach because it’s highly sensitive, highly secure and you don’t want to take the risk with those grey IP addresses.”
Vice President of Okta Australia Pacific, Graham Pearson, explained that by creating a better understanding of context, businesses can customise their solutions.
“ThreatInsight is about understanding your environment, understanding what’s coming into the environment and then letting the organisation choose what they want to do with it,” he said.
“Passwordless is a gamechanger, without a doubt. Just having the flexibility of you not having to renter your password again and again and again.”
Goodbye to the password and username model?
With the password and username model of authentication becoming increasingly outdated and vulnerable, systems such as ThreatInsight may soon see a surge in popularity.
But does this mean the password will soon be entirely redundant?
According to Okta’s Chief Security Officer, Yassir Abousselham – probably not.
“I think we’re going to see a lot more companies going passwordless, but in some cases, it’s going to be hard to make the change.”
Legacy systems and compliance requirements mean that, despite innovation in the space, passwords will still be part and parcel for many systems, particularly in industries such as healthcare and finance, he says.
On a smaller scale, however, it seems more likely.
“Even in some of these organisations, in non-critical systems, it is possible to go passwordless.
“Ultimately it’s a risk management exercise.
“You look at a system and you decide, is it okay to go passwordless for the sake of providing a better security and better user experience, or am I held back by technology limitations or compliance requirements?”
Edward Pollitt travelled to Oktane18 in the US as a guest of Okta.