Image Copyright © BluOcean Digital 2024
Are traditional passwords becoming a relic of the past, an obsolete tool in the cybersecurity toolkit? Passwords are consistently one of the most common and most accessible ways to hack an organization.
Recent studies have reported 86% of breaches involve stolen credentials.
They can easily be found on web forums, dark web or phished through simple emails and phone numbers. As cyber breaches continue to grow in numbers, many are turning to passwordless authentication in attempts to thwart common attacks. Passwordless authentication uses alternate forms of identification including a user’s biometric information, hard tokens, and cryptographic passkeys. While cyber attacks continue to evolve and become more pervasive, methods like passwordless authentication attempts to create stronger defenses against hackers.
Join Thousands of Weekly Readers
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
Current Challenges in Authentication
Passwords at one time were a critical part of digital security, but consequently have become one of the greatest security weaknesses for multiple reasons:
- Password Hygiene: Best practices for passwords are widespread across the digital world whether on registration pages for account sign ups or featured in your company’s security awareness training. Users are encouraged to use long passwords, symbols, numbers, no dictionary words, no repeat passwords across accounts, and to rotate these passwords multiple times a year. These tasks challenge an average user’s memory and human nature prevails as user’s continually repeat and choose simple passwords for convenience and ease.
- Social Engineering: As mentioned above human nature is a major factor in successful cybersecurity defense. User’s often fall victim to social engineering attacks whether it’s a phishing email, SMIShing text, or vishing phone call disclosing their passwords. These attacks are only getting more convincing to where even the most seasoned user may fall victim.
- Password Dumps and Credential Stuffing: Phishing attacks and web application vulnerability exploits are among the many attacks to gain user passwords. These passwords are often sold or openly posted in password dumps on the deep and dark web. Since users often repeat passwords across accounts, attackers perform credential stuffing testing the user and password combinations on multiple platforms to gain access to many accounts.
- Brute Force Methods: Oftentimes knowing the user’s password is not even necessary. Users tend to use simple passwords that are easy to remember like “password” or “winter2024.” Attackers can easily create lists of common passwords to script brute force attacks against login pages testing numerous user and password combinations until successful login.
- Malware Attacks: Other malware attacks can easily intercept passwords. This includes Man in the Middle attacks that sniff network traffic revealing user authentication details. Another common tactic is keylogging malware that can be downloaded on a user endpoint to collect user keystrokes including usernames and passwords.
A Shift Towards Passwordless Authentication
Can users stay secure with passwords alone? Despite attempts like password managers and multi-factor authentication, attackers find loopholes. Is it time to explore passwordless methods? What if we could secure our accounts without relying on traditional passwords?
We have seen many attempts in the security world to defend against the weaknesses of user passwords. Users have been encouraged to use password managers but in turn they take on the risk of having a third party software storing their most critical data. These applications have become a target of attackers because of the prospect of gaining access to endless user passwords.
The key defense against password weakness has been multi factor authentication.
Multi factor authentication which requires a second form of authentication outside of the user and password was thought to be a fail safe.
However attackers have adapted and have found ways around this layer of defense including SIM card swapping, social engineering users to share authentication codes, and push notification fatigue on authentication applications. The failure of these current tactics have pushed the industry towards exploring new methods of passwordless methods.
Some Latest Developments in Passwordless Authentication
What if we didn’t have to use passwords at all? Unbeknownst to many users, numerous passwordless methods exist to help better protect some of their most critical accounts. These developments of passwordless technologies takes many forms including the following:
- Biometric Information: Making sure your account doesn’t get hacked can be remedied by using your own physical features. Biometric methods utilize data like a user’s face scan, iris scan, voice recognition, or fingerprints that cannot be replicated by a hacker. These methods are most often used for device security and also softwares that allow access to a user’s microphone or camera.
- Passkeys: The Fast Identity Online 2 (FIDO2) standard provide the basis for solutions that use passkeys. Passkeys are stored in your device and utilize public and private key cryptography to allow you to access user accounts. This adds an extra layer of security as you must have the device with the passkey in your possession to sign in.
- Hardware Tokens: Hardware tokens are physical devices that generate one time passwords or signed cryptographic messages to allow a user to login to their accounts. While this doesn’t limit the user to a device it does require the user to be in possession of the physical key to authenticate allowing for an extra layer of security.
- One Time Passwords and Magic Links: While these methods are not technically passwordless and more akin to multi factor, we have been seeing them more commonly adopted across the digital ecosystem. Upon entering a user email or username a user is emailed or texted a one time code or link to enter or click to gain access to their account. This method does rely on the security of a user’s email account or phone but it does prevent common attacks like credential stuffing and brute forcing.
Future of Passwordless Authentication
The future of authentication is passwordless.
Passwords are a burden to manage, cause poor user experiences, and are easily compromised. Passwordless authentication eliminates reliance on passwords and delivers a host of business benefits, including a better user experience, reduced IT time and costs, and a stronger security posture.
According to researchers, the market for passwordless authentication is expected to expand to $21.2 billion by 2027, as more organizations seek protection against social engineering, phishing, and other forms of credential theft.
Facial recognition and fingerprint scanning are already in place at certain businesses, and some employees are also becoming more comfortable with using them on their personal devices. The shift to passwordless authentication is mainly prompted by the problems that have plagued passwords: they’re costly and burdensome to manage; they cause poor user experiences; and they are easily compromised.
According to Gartner, 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of the use cases.
Passwordless authentication will reduce attack vectors, enhance the user experience, and reduce operational costs. By preparing for our passwordless future today, businesses can set their employees and themselves up for a safer and easier login experience. The market, however, is not yet in a place where passwordless authentication is easily achievable. Modern enterprises cannot cover all of their access use cases today with a single passwordless solution.
Recommendations for Business and Individuals
How can businesses and individuals adapt to a passwordless future?
Businesses and individuals need to begin embracing passwordless authentication as a secure way of verifying identity without the need for passwords.
Here are some recommendations for businesses and individuals on passwordless authentication:
- Use multi-factor authentication (MFA) to add an extra layer of security to the passwordless authentication system.
- Use biometric authentication, such as fingerprint or facial recognition, to verify a user’s identity.
- Use hardware tokens, such as smart cards or USB keys, to authenticate users.
- Use certificate-based authentication, which uses digital certificates to verify a user’s identity.
- Use a passwordless authentication system that is compatible with your existing infrastructure.
Conclusion
How can we build trust in securing our digital identities in an evolving technology landscape? Our future in the digital world gives users boundless possibilities but also opens a new unprecedented level of risk. Users must try to protect themselves from attackers by maintaining their own security hygiene but this seems to be an unattainable goal for most. For those who do use complex passwords the growing threat of MFA attacks and creative social engineering still remains.
Should we trust passwordless authentication to keep our accounts sage?
The development of passwordless authentication shows promising steps towards allowing users of the digital ecosystem to protect themselves without many of the challenges from past methods.
While these methods may not be prevalent yet, we believe we will see a major growth in use in the coming year and beyond. We hope as these technologies become more widespread that users can help protect themselves to create a more secure future for us all.
Sources
- HelpNetSecurity. (April 11, 2023). Why it’s time to move towards a passwordless future.
- GoogleBlog. (May 03, 2023). The beginning of the end of the password
- ManageEngine | Insights. (May 05, 2023). The passwordless future: How authentication is evolving
- W3Care. (March 12, 2023). Future of Passwordless authentication in 2023
- LastPass… (August 01, 2023). The Future of Authentication: A World Without Passwords
- BeyondTrust. (December 14, 2023). How Compromised Passwords Lead to Data Breaches & How to Prevent Them
Written by : Katie Reilly, Smaranava Roy