Improved computer security is on the horizon for both businesses and individual users willing to adopt an alternative to passwords. Yet, despite the growing disdain for the cumbersome process of creating and entering passwords, the transition toward a future without them is gaining traction at a surprisingly slow pace.
The identity and access management space consensus solidly supports the notion that passwords are not the most secure way to protect data. Look no further than this year’s Verizon Data Investigations Breach Report for proof. It found that 32% of the nearly 42,000 security incidents involved phishing, and 29% involved stolen credentials.
Moreover, there are numerous instances where users are warned to change their passwords due to exposure in a security incident. These findings underscore the need for authentication methods that do not rely on passwords.
Two buzzwords used for the concept of eliminating passwords are passwordfree and passwordless authentication. These two terms, while similar, are not the same thing. They both suggest gaining access to digital content without entering passwords, however. The key difference is the technology invoked to eliminate password usage.
More than just improving the user experience, several organizational requirements drive the shift toward eliminating passwords, according to Mesh Bolutiwi, director of Cyber GRC (Governance, Risk, and Compliance) at CyberCX.
“These include a strong emphasis on reducing data breaches, improving overall security posture, and reducing long-term support costs tied to password management,” he told TechNewsWorld.
Security More Essential Than Convenience
Passwordless solutions also improve user authentication and scalability for businesses by providing a more efficient way to meet applicable regulatory and compliance requirements.
He added that the rapid growth and sophistication of mobile computing devices have also played a significant role in purging passwords. Traditional authentication methods often fall short on these devices.
Ironically, that factor is prompting the increased use of mobile devices to facilitate passwordless authentication. While businesses are becoming more vulnerable to password-based attacks, only a few have the means to defend against them.
Passwords are highly vulnerable to cyberattacks that are deceptively subtle and take various forms. Using passwordless authentication minimizes this risk.
Big Tech Pushing Passwordless Solutions
Google and Microsoft are paving the way for password alternatives.
Google unleashed an open beta for passkeys on Workspace accounts in June. It allows organizations to allow their users to sign in to a Google Workspace or Google Cloud account using a passkey instead of their usual passwords.
Passkeys are digital credentials tied to user accounts, websites, or applications. Users can authenticate without entering a username or password or providing any additional authentication factor.
Microsoft’s Authenticator technology lets users sign in to any Azure Active Directory account without a password. It uses key-based authentication to enable a user credential that is tied to a device. The device uses a PIN or biometric. Windows Hello for Business uses a similar technology.
Better Though Not Flawless
Passwordless authentication is not immune to malware, man-in-the-browser, and other attacks. Hackers can install malware specifically designed to intercept one-time passcodes (OTPs), for instance, using workarounds.
“While passwordless authentication offers a robust authentication solution, it is not entirely impervious to attacks. The risks often hinge on the method employed, be it biometrics or hardware tokens,” said Bolutiwi.
It effectively sidesteps the pitfalls of stolen credentials. Still, it is not without its own risks, such as the potential theft of hardware devices, tokens, or the spoofing of biometric data, he added.
Even so, passwordless authentication creates a significant setback for bad actors. It makes cracking into systems more difficult than traditional passwords and is less prone to most cyberattacks, according to cybersecurity experts.
Windowless Entry Reassuring
True passwordless authentication methods have no entry field to enter passwords. Instead, it requires another form of authentication, such as biometrics or secondary devices, to validate users’ identities.
This solution passes along a certificate to permit verification, thereby increasing security by eliminating phishing attacks and stolen credentials.
Other alternative authentication methods could eventually become more popular. These include email links, one-time passwords delivered by email or SMS, facial recognition, and fingerprint scanning.
“Passwordless solutions, however, introduce a transformative approach by eliminating the concept of passwords altogether, transitioning the onus from users managing complicated credentials to more intuitive and seamless authentication methods, thus offering a more secure paradigm,” offered Bolutiwi.
Q&A Exploring the Pros and Cons of No Passwords
TechNewsWorld asked Mesh Bolutiwi to discuss his most pressing views on moving into a passwordless future.
TechNewsWorld: What is your view of the overall safety improvement offered by password replacement strategies?
Mesh Bolutiwi: Passwordless still represents an improvement in security over conventional passwords.
It is essential to recognize that no authentication system is completely immune from attacks.
As passwordless methods become more prevalent, it is only a matter of time before new attack techniques emerge, targeting potential weak points or attempting to steal biometric data.
Moreover, the rising trend of using personal devices for passwordless authentication amplifies risk, as compromising an individual’s mobile device falls outside the purview of organizational control, making mitigation challenging.
Would campaigning users to set up more rigorous passwords help to solve the problem and lessen the need for passwordless logins?
Bolutiwi: Quite simply, no. While promoting the adoption of complex passwords can offer improved security, it is not a foolproof solution. Even with efforts to bolster intricate password usage, challenges like human error, password fatigue, the risks of phishing, and mishandling persist.
Would this be a different process for non-business computer users? If so, why?
Bolutiwi: The core technology would remain the same, but the implementation might differ. Non-business users may have simpler needs without requiring integration with large-scale enterprise applications.
The adoption rate might also be influenced by different factors like ease of use rather than strict security compliance. The latter would be much more of a concern for enterprises as opposed to consumers.
How much impact will changing log-in methods have in overcoming software vulnerabilities?
Bolutiwi: Solely improving user education and strict password policies does not diminish the vulnerabilities associated with password-based authentication.
Despite their challenging nature, complex passwords can be reused across platforms, forgotten, or written down insecurely and remain susceptible to various attacks. These can include credential stuffing, phishing, and brute-force attack methods.
How would a passwordless computing world actually work?
Bolutiwi: In a passwordless world, users would authenticate using methods like biometrics — fingerprints, facial recognition, retina scans, or voice pattern recognition.
They could also use hardware tokens such as physical security keys or soft keys, smartphone-based authenticators, or even behavioral patterns. They would be identified and verified without entering any memorized secrets using something they have or something they are.
These physical devices generate and store cryptographic keys, ensuring that only the authorized individual with the correct token can gain access. These leverage the same concept as digital certificates.
Tell us how this passwordless process works behind the scenes.
Bolutiwi: Users attempting to log in to an online resource might be prompted to scan their fingerprints via their mobile or biometric devices. Behind the scenes, a user’s public key is shared while registering for the online resource.
However, access to the private key, which is stored on the user’s device, would require the user to carry out a biometric-related action to unlock the private key. The private key is subsequently matched with the public key, and access is granted if the keys are matched.
What needs to happen to implement passwordless entry for business networks?
Bolutiwi: Organizations contemplating the transition to passwordless authentication must address a myriad of considerations. Infrastructure enhancements are paramount. Current systems would necessitate either upgrades or replacements to accommodate passwordless systems.
Integration is crucial during this phase, ensuring seamless compatibility between passwordless solutions and existing systems and applications, coupled with rigorous testing. Moreover, organizations must evaluate challenges tied to supporting and integrating with legacy systems, which might be incompatible with passwordless authentication standards.
Organizations must also assess their existing technology landscape for compatibility with prospective passwordless systems, factor in the costs associated with new installations, modifications, or system upgrades, and gauge their cloud adoption level.
What role might the human element play once the hardware is in place?
Bolutiwi: The human element cannot be overlooked. User training is vital, addressing both the significance and operation of new authentication tools.
Additionally, organizations should be mindful of potential user resistance, especially when passwordless methods hinge on personal devices, owing to a lack of understanding or reluctance towards this novel approach.
How would multiple authentication factors play into transitioning to a passwordless computing environment?
Bolutiwi: Combining multi-factor authentication (MFA) with passwordless systems creates a fortified authentication process, significantly elevating the security level.
Even without inputting a password, amalgamating something a user possesses, like a phone or token, with an inherent attribute such as a biometric feature presents formidable challenges for hackers attempting to replicate both.
Integrating MFA with passwordless techniques curtails the risks associated with a singular point of vulnerability. Ultimately, this enhances safeguarding systems and data and facilitates a smoother transition towards a passwordless future.
What is the advantage of MFA over relying solely on biometrics or encryption?
Bolutiwi: Biometrics alone can potentially be mimicked, and cryptographic keys deciphered. So, introducing multiple authentication layers greatly diminishes the chances of successful security breaches.
This multifaceted strategy resonates with the zero-trust security model, emphasizing continuous access assessment based on a multitude of factors rather than a solitary reliance on passwords.
What are the primary obstacles to adopting a passwordless system?
Bolutiwi: Compatibility with legacy systems, user resistance to change, and financial constraints are primary obstacles in transitioning to passwordless authentication.
Moreover, the monetary aspect of this transition related to hardware might strain an organization’s budget. Also, addressing users’ potential unawareness or hesitancy when leveraging their personal devices for authentication could be a barrier to adoption.