Evicting the Password from the Digital Estate

Passwords have been used to secure user sessions in computing since the time sharing era. Cryptography, collaborative standards development, and persistent network connectivity have led to new options for authenticators, while determined attackers and ever-expanding computing power have minimized a password’s security value. Recently, NIST engaged with the identity community to substantially revise guidance around digital identities, authenticators, and federation security. This session will explore authenticators from passwords to the latest FIDO 2 standards, focusing on how to improve security while not negatively impacting user experience. Additionally, we examine authentication protocols that can be used in combination with proposed authenticators to secure application sessions. Finally, an action plan is presented that will assist in determining weak authentication methods and provide a path toward adopting more secure authenticators.