President Biden鈥檚听recent cybersecurity executive order is officially in motion. As of November 8, 2021, every organisation is mandated to incorporate multi-factor authentication (MFA) and implement a 鈥渮ero trust鈥 framework into their security system backends. This executive order was spurred into action by several colossal ransomware attacks, most significantly the colonial pipeline cybersecurity breach that rendered much of the East Coast gasless for multiple days. A state of emergency was declared two days later following the attack鈥檚 ripple effect on the transportation network.
The executive order was pivotal in spotlighting the widescale impact of credential-stuffing and the importance of MFA, not just for securing critical infrastructures, but mom and pop shops, too. However, the order鈥檚 requirements and deadline serve as the tip of the spear as attackers continue to adapt, circumvent and infiltrate networks that already have MFA protocols in place. 惭颈肠谤辞蝉辞蹿迟鈥檚 recently released听Digital Defense Report听revealed that Nobelium, the threat actor behind last year鈥檚 widely-reported听SolarWinds campaign, was a result of password spraying. The headline-grabbing attack, along with many breaches, aren鈥檛 elaborate Mission Impossible-type hacking schemes; in fact, many are simply due to confiscated passwords and interrupted MFA processes (e.g.,听man-in-the-middle strategies). At times, the undetected, widespread attacks could stem from a single compromised password.
This begs the question听鈥撎why are we married to passwords if it means empowering bad actors? Why are we dealing them the winning hand?听
听It boils down to convenience, predictability, and simply, complacency. Passwords are embedded in our culture, and to deviate from a human action seems alarming to most individuals. This false sense of security coupled with a laser-focus on 鈥減revention,鈥 rather than 鈥渃ause,鈥 is leaving the window ajar. Cyber-attacks aren鈥檛 a result of implementing the 鈥渨rong鈥 product or a poor infrastructure, at the core 鈥 in this case, it comes down to the false sense of security that a password provides.
To checkmate bad actors, we need to take out what鈥檚 hackable 鈥撎the password.
Every second, 579 passwords are compromised, leaving people and businesses vulnerable nearly 24/7. Multi-factor authentication isn鈥檛 proving to do enough as hackers circumnavigate these barriers, and as technology evolves, so too does the sophistication of these attacks. Hackers have recently听automated the bypass of traditional MFA听methods, which has exasperated the problem. Now is the time to eliminate the moving target and go passwordless by providing simple, strong and phishing resistant access.
More from Cybersecurity
- Experts Comment: Has The AI Race Made The World Less Safe?
- ShinyHunters Just Hacked Rockstar Through A Supplier 鈥 Every Business Using Third-Party Software Should Pay Attention
- Is Vibe Coding Safe Or A Cybersecurity Disaster Waiting To Happen?
- Anthropic Is Taking On Cybersecurity With AI, And It Has Brought Apple and Amazon Along For The Ride
- External Attack Surface Management And Why It Matters For Startups
- SpyCloud鈥檚 2026 Identity Exposure Report Reveals Explosion Of Non-Human Identity Theft
- The Aura Data Breach Exposed 900,000 Users 鈥 Here Is What Every Business Needs To Know
- How AI And Hacking Professionalism Are Overwhelming Endpoint Security
Debunking Passwordless Authentication 鈥 How does it work?
True Passwordless鈩 MFA does not rely on verifying a 鈥渟hared secret鈥 鈥撎think听passwords, PINs, SMS codes, One Time Passwords (OTP), even credit card numbers. There is no centrally-stored credential that can be hacked or stolen. Instead, True Passwordless鈩 MFA uses public key cryptography, which involves a private-public cryptographic key pair. The private key is stored on the user device 鈥 a mobile phone, smart card or security key 鈥 while the public key is registered with the authenticating server. On a mobile device, the private key can only be unlocked using biometrics, such as face ID or a fingerprint. In short, users can log in with a simple 鈥済lance鈥 at their smartphone.
In order to implement true passwordless authentication, organisations must:
- First, consider users (AKA employees) and their use cases.
It鈥檚 important to understand the employees鈥 needs, behaviours and risk profiles. What kind of mediums do they use 鈥 phones, desktops, shared workstations, or a combination of all three? Are they mostly remote, working in an office setting, or hybrid? By understanding their access points, you can then define the safety guidelines when going passwordless.
- Loop in and engage other relevant departments.
Depending on company size, most departments are often siloed 鈥 with budgets, decisions and impacts made and measured independently. That said, with a passwordless overhaul, nearly every department 鈥 including IT, HR and operations 鈥 needs to be in-the-know. By looping in various departments, the teams can more effectively communicate a multi-step approach to going passwordless, as well as highlight the benefits of upgrading the company鈥檚 authentication protocols.
- Plan training and support ahead of time.
Like with any IT evolution, less tech-savvy employees will need refreshers and one-on-one support at some point throughout implementation. To make your life easier, share a training plan that includes an FAQ document as well as a communication plan should employees need help. This should only last about a week or so into implementation, so prepare for extra IT staffing hours during that time.
- Create a measurement rubric for success.
This may seem rudimentary, but every C-Suite executive will ask for qualitative and quantitative results from switching to passwordless, particularly since it will affect every login and area of the business. This rubric for success will largely surround bottom-line metrics, particularly those related to saving money and time, and can be revisited in either six or 12-month increments following implementation.
While the above provides guidelines on how to incorporate passwordless MFA into an organisation, every corporation is different, and must be treated as such. Some will require longer lead times to turn over, others will not. But the above will give you a general framework for implementation and ultimate success and put you well on your way to foolproof cybersecurity across the organisation.
By Bojan Simic, Co-Founder, CEO & CTO at HYPR
Bojan Simic is the CEO, Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modelling, and penetration testing. Bojan has a passion for deploying applied cryptography implementations across security-critical software in both the public and private sectors. His extensive experience in decentralised authentication and cryptography have served as the underlying foundation for HYPR technology. Bojan also serves as HYPR鈥檚 delegate to the FIDO Alliance board of directors, empowering the alliance鈥檚 mission to rid the world of passwords.
