With or without passwords?

18/05/2021

Those demonized passwords .... Is it obligatory?

IT department also says: "It is obligatory and don't forget to change this password, or we will notice it, and soon you will find yourself on our training, where we will once again carefully tell you about this boring matter."

I often see people being taught to use passwords: Use long, complex passwords that contain letters, special characters and numbers. That is, one should strive to create something like this: JhUygs/(6876&h(/¤sdllai"2321432 And yet every service has a different password. Personally, at least I will not remember even the first password created in this way. So what's the help?

The eggheads scream in between the words "Easy! Just use the password program. " Of course, when used properly, these programs are really convenient and fast for password management, but when we already have several hundred logins.

It will easily take professionals a whole day to learn the functionality of such a program and start using it. And if we are talking about companies of 50 people, then it will take a day just to read the program manual, and there will be no improvements that make the job easier.

SSO and passwordless.

The above things were created for this particular password problem. SSO means "Single sign on" That is, one company ID can be used to log in to many different IT environments. This saves resources of IT department, as fewer accounts need to be managed. The idea behind the passwordless model, as the name suggests, is to get rid of passwords completely.

So, is there really a system by which you can remove passwords as a company login method?? To my delight, I can say that the world is gradually moving towards this! Microsoft, for example, is working hard on such an approach to secure login.

So how does it work in practice? Without going into too much technical words, I will briefly outline the basic idea: Each employee still has a username and password. But a separate app will be introduced on each phone with a login notification. Then just clicking "accept" or "block" Passwords will still work at login, but will no longer be the main route for company information. Easy isn't it! When you log in this way, you will also be using multi-step authentication. So the bad guys should also have a phone where the login notification comes in to access the company information. Sure, clever cybercriminals know how to get around this kind of protection measure, if necessary, but we'll talk about that another time.


Tietoturvallisin terveisin

Antti