ao link
Charity Digital
Search
Remember Login

New to Charity Digital?

User Menu
Remember Login

New to Charity Digital?

Remember Login

New to Charity Digital?

Search

Why charities should invest in passwordless technology

We explore how passwords have evolved and what this means for cyber security, including up-to-date best practice for protecting your charity

Four counters printed with padlocks on a yellow background
Why charities should invest in passwordless technology

October is ’Charity Cyber Essentials Awareness Month’, and we are teaming up with Cyber Essentials Delivery Partner, IASME to offer free cyber security support and guidance. If you are a registered charity and you sign up and pay for Cyber Essentials between 1-31 October, you will receive a discount to the price of certification. 

 

Cyber Essentials represents the UK Government’s minimum baseline standard for cyber security for organisations of all sizes in the UK. The annually renewable certification scheme is aligned to five technical controls designed to prevent the most common internet-based cyber security threats.  This year, the UK Government’s Cyber Essentials (CE) scheme celebrated its tenth anniversary, marking a decade of bolstering the nation’s cyber resilience through fundamental security measures.  

 

Find out more about Cyber Essentials 

 

 

Continuous improvement 

 

The pace of change in both technology advancements and cyber threats mean that Cyber Essentials must continue to evolve each year to reflect these changes.  

 

Each year, IASME conduct a review and update process with the experts from the National Cyber Security Centre (NCSC) where they consider feedback from customers and Assessors and take a look at the changes in the IT landscape.  

 

This annual process ensures that Cyber Essentials remains relevant and effective, and as a baseline scheme, it is still the most direct and successful route to improving your cyber security through basic controls. 

 

 

The future is password-free  

 

The 2025 changes to Cyber Essentials Requirement for IT Infrastructure V 3.2 reflect the changes to login methods that are rapidly taking over in technology.  

 

Back in 2019, it was Microsoft that gave us the powerful statistic that multi-factor authentication can block over 99.9 percent of attacks by criminals attempting to access your account. So, perhaps it is no surprise that Microsoft has recently announced that multi-factor authentication is required for all of its services by 15 October 2024.  

 

Expedited by AI and access to quantum computer systems, cyber threats are rapidly changing and what was once considered a complex cyber attack can now be a *commodity attack within hours. To address the dual challenge of advancing innovation and vital security, vendors are having to reactively evolve their technology. More frequent upgrades and updates to devices are a likely outcome and urgent and sweeping changes to authentication methods are already upon us.  

 

Could this be the beginning of the end for passwords? 

 

 

The rise of passwordless technology 

 

Authentication methods that do not require a password at all are becoming increasingly commonplace, and Cyber Essentials has had to address this technology. For years, passwords have been the default method of authentication for a wide range of accounts and services, both at home and at work. And while passwords are accessible, cheap, and portable, they are also frequently reused, forgotten, guessed, brute-forced, and stolen.  

 

The inherent vulnerabilities of passwords were a key reason behind the 2022 update to Cyber Essentials, which mandated the additional use of multi-factor authentication (MFA) for all accounts and services accessible over the internet. 

 

True passwordless authentication eliminates the need for passwords altogether, providing alternative forms of authentication to allow secure access. This technology will always use more than one factor of authentication, and although there is no password, the other two or more factors can involve a digital certificate (which is like a digital ID card) working behind the scenes, encryption methods, or additional biometric checks combined with codes from authentication apps.  

 

 

Defining passwordless authentication in Cyber Essentials 

 

The option to include systems that use passwordless technology is now included in Cyber Essentials and is defined in the same way as multi-factor authentication, passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity“. 

 

There are numerous methods of verifying identity without using traditional passwords. Here are some common examples; sometimes these are used in combination: 

  • Biometric authentication: Uses biological traits of the person logging in, such as fingerprints or facial features, to confirm their identity. 

  • Security keys or tokens: Involves physical hardware devices like USB security keys or smart cards. 

  • One-time codes: Temporary codes sent via email, SMS, or a mobile app. 

  • Push notifications: Prompts on a smartphone to approve or deny a login attempt. 

  • An app on a trusted device: This could be an authenticator app provided by Microsoft or Google. 

  • Use of a ‘trusted’ or ‘known’ device: As you login, the server you are connecting to will use a range of different methods to uniquely identify your device. This will enable it to recognise it as a trusted device on future logins.  

  • QR codes: These can be scanned by a camera on a connected device. The user will then simply follow the instructions on the screen to finish signing in.  

 

 

 

Adapting to the Future 

 

As we look to the future, the shift towards passwordless authentication represents a significant step forward in cyber security. By eliminating the vulnerabilities associated with traditional passwords, organisations can enhance their security and reduce the risk of cyber incidents.  

 

The Cyber Essentials scheme, with its continuous adaptation and improvement, remains a cornerstone of the UK’s cyber resilience strategy, proving that even the most basic controls can have a powerful impact when they evolve with the times.

 

 

*What is a commodity attack? 

 

When talking about cyber attacks, the term ‘commoditised’ refers to the process by which certain types of cyber attacks become standardised, widely available, and relatively easy to execute. This is often due to the availability of tools and services that can be purchased or accessed with minimal effort or expertise 

 

The commoditisation of cyber attacks can lead to an increase in the frequency and variety of attacks, as more people are able to participate in cyber crime. It also means that defences need to be continually updated to keep pace with the evolving threat landscape. 

 

Go to the Cyber Essentials Knowledge Hub to find free cyber security guidance for charities 

 

More on this topic

Podcast: How to make your social media accessible and inclusive

Podcast: How to make your social media accessible and inclusive

Cyber security: what to look out for in 2025

Cyber security: what to look out for in 2025Sponsored Article

Charity Digital Academy

Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.

 

Tell me more

Recite Me toolbar