The below will appear on the Refined page at targetURL
The 2025 changes to Cyber Essentials Requirement for IT Infrastructure V 3.2 reflect the changes to login methods that are rapidly taking over in technology.Back in 2019, it was Microsoft that gave us the powerful statistic that multi-factor authentication can block over 99.9 percent of attacks by criminals attempting to access your account. So, perhaps it is no surprise that Microsoft has recently announced that multi-factor authentication is required for all of its services by 15 October 2024.
Expedited by AI and access to quantum computer systems, cyber threats are rapidly changing and what was once considered a complex cyber attack can now be a *commodity attack within hours. To address the dual challenge of advancing innovation and vital security, vendors are having to reactively evolve their technology. More frequent upgrades and updates to devices are a likely outcome and urgent and sweeping changes to authentication methods are already upon us.
Could this be the beginning of the end for passwords?
The Rise of Passwordless Technology
Authentication methods that do not require a password at all are becoming increasingly commonplace, and Cyber Essentials has had to address this technology. For years, passwords have been the default method of authentication for a wide range of accounts and services, both at home and at work. And while passwords are accessible, cheap, and portable, they are also frequently reused, forgotten, guessed, brute-forced, and stolen. The inherent vulnerabilities of passwords were a key reason behind the 2022 update to Cyber Essentials, which mandated the additional use of multi-factor authentication (MFA) for all accounts and services accessible over the internet.
True passwordless authentication eliminates the need for passwords altogether, providing alternative forms of authentication to allow secure access. This technology will always use more than one factor of authentication, and although there is no password, the other two or more factors can involve a digital certificate (which is like a digital ID card) working behind the scenes, encryption methods, or additional biometric checks combined with codes from authentication apps.
Defining Passwordless Authentication in Cyber Essentials
The option to include systems that use passwordless technology is now included in Cyber Essentials and is defined in the same way as multi-factor authentication, “passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity“.
There are numerous methods of verifying identity without using traditional passwords. Here are some common examples; sometimes these are used in combination:
Biometric Authentication: Uses biological traits of the person logging in, such as fingerprints or facial features, to confirm their identity.
Security Keys or Tokens: Involves physical hardware devices like USB security keys or smart cards.
One-Time Codes: Temporary codes sent via email, SMS, or a mobile app.
Push Notifications: Prompts on a smartphone to approve or deny a login attempt.
An app on a trusted device: This could be an authenticator app provided by Microsoft or Google.
Use of a ‘trusted’ or ‘known’ device: As you login, the server you are connecting to will use a range of different methods to uniquely identify your device. This will enable it to recognise it as a trusted device on future logins.
QR codes: These can be scanned by a camera on a connected device. The user will then simply follow the instructions on the screen to finish signing in.
Read the full NCSC guidance about trusted authentication methods
Adapting to the Future
As we look to the future, the shift towards passwordless authentication represents a significant step forward in cyber security. By eliminating the vulnerabilities associated with traditional passwords, organisations can enhance their security and reduce the risk of cyber incidents.
*What is a commodity attack?
When talking about cyber attacks, the term ‘commoditised’ refers to the process by which certain types of cyber attacks become standardised, widely available, and relatively easy to execute. This is often due to the availability of tools and services that can be purchased or accessed with minimal effort or expertise.
The commoditisation of cyber attacks can lead to an increase in the frequency and variety of attacks, as more people are able to participate in cyber crime. It also means that defenses need to be continually updated to keep pace with the evolving threat landscape.