How First Citrus Bank got rid of employee passwords

The Florida bank rolled out passwordless authentication in February that relies on device biometrics of their smartphones.

Security experts have been bemoaning the endless array of problems associated with using passwords -- they're either too easy for criminals to guess or too difficult to remember, they're reused, they're constantly being stolen. Until recently, there's been no practical way to get away from them.

Even the fingerprint or facial scanners on phones, which can make it possible to log into your DropBox or PayPal account without typing in your password, don't do away with the passwords themselves. The passwords are still there, used when you first set up the app, or needed when you want to log in from another device or browser.

Things are starting the change, however. In March, the World Wide Web Consortium (W3C) approved the WebAuthn standard, a joint project with the FIDO Alliance, which allows for passwordless authentication on the web using authentication mechanisms such as the fingerprint reader on a smartphone. All major browsers support it, including Chrome, Firefox, Microsoft Edge and Safari. So do Android phones and Windows 10 computers.

The idea is that identity is federated. A fingerprint or photo or voice recording is stored locally, on a phone and is never transmitted to third parties. The phone uses a secure mechanism to authenticate the user and then confirms the identity to the website or application. The system isn't perfectly secure. There are ways to hack fingerprints and facial IDs, and if the authentication mechanism is a hardware token like a USB key, it can be stolen. It is a significant improvement in security over the traditional user account and password approach to authentication.

The transition won't be easy, but some organizations are already moving ahead. Florida's First Citrus Bank rolled out a passwordless authentication system to its employees in February after an evaluation period that started last fall. "We deployed it to everyone in our organization, using the biometrics inherent in their devices, whether Android or iPhone," says Joe Kynion, the community bank's cybersecurity lead.

Employees controls their own private keys, while the bank manages the public keys via its authentication technology vendor, HYPR. If the company suffers a breach, the hackers won't be able to steal a list of employee passwords.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!