The June 2017 NIST special publication 800-63B, covering Digital Identity, turned what had previously been the gold standard for passwords on its head. For the first time, NIST recommended removing complexity rules and password cycles, supporting longer passwords, no restriction, or requirements on special characters and preventing the use of common passwords and those already exposed in a known breach. Why these changes? Because with the best will in the world, the human element in our security measures is always going to be the weakest link. Forcing individuals, particularly those whose primary role has nothing to do with Information Technology, to remember hundreds of unique complex passwords is hard. They don't want to and when we make them, they get it wrong or look for an answer with as little friction as possible. NIST's new guidelines are intended to remove some of that friction. When combined with the use of a password management system and multi factor authentication, we might hope that our corporate assets are no longer protected by the same password someone used on their favourite shopping site.
Unfortunately, things are never that simple. For non-technical users, even working with a password manager can present challenges. Not all systems play nicely with password managers, and they also do not stop a user from using the same credential for more than one product.
Passwordless authentication is one exciting way forward. This in itself, is not new technology, having been around in various forms for a while - think magic email links for example - but the approach still relies upon shared secrets. However, the release of the WebAuthN standard by the W3C and FIDO, supported by many key vendors, allows us to take advantage of public key cryptography.
At ThoughtWorks we have embarked on a journey to introduce passwordless login to our employees, particularly those with high value accounts and who may be less technical than many. The goal of this session is to share what we have learned throughout this process. We will share our goals, challenges and their resolutions. We hope attendees will be inspired to evaluate this technology, which delivers the rarest of things, better security and a fantastic user experience.
More details: [ Ссылка ]
Conference Link: [ Ссылка ]
