One of the biggest security risks of modern-day business is the mass use of passwords as the prime authentication method for different applications. When the technology was first developed, passwords were perceived by individuals and businesses alike as a sure way of securing access to systems and sensitive data. Today, however, the flaws behind this form of authentication are crystal clear: not only do they make life more difficult for the user, but they also create a false sense of security and leave major holes in a business’s defenses.
Because of that, many companies are starting to transition towards passwordless technology. However, there is still some confusion about what exactly classifies as “passwordless” authentication. Some solutions that may purport to fall within the category simply save and enter the password on behalf of the user or replace it with something that is also insecure like a magic link or one-time password.
Understanding what truly constitutes a passwordless solution is the first step in making the shift towards a more secure future for organizations, as well as removing the frustrations and time-consuming processes that beleaguered users are required to step through simply to verify their identity.
The risks behind passwords
Passwords are one of the most popular ways for criminals to hack into business networks and consumer accounts. In fact, the Verizon 2021 Data Breach Investigations Report found that 61 percent of breaches over the last year involved login credentials, and haveibeenpwned currently lists more than 11 billion compromised accounts.
The fundamental flaw is that passwords are a “shared secret.” This means that both sides of the exchange are in on the secret (the password) and have it stored. These passwords are stored in a database by the application, making it an obvious target for cybercriminals. Passwords become the proxy identifier for the users, and users often choose passwords that relate to something in their lives, including names and important dates, to make them easier to remember. But this makes it easier for adversaries to guess their passwords and gain entry to sensitive data.
Over recent years, criminals have become more successful than ever in duping their targets to hand over their login details for various accounts. They have deployed fake websites that mimic the real one that can steal the password and then log the hacker into the legitimate website. They have also designed malware that runs on the user’s device and steals credentials when the user types them in. If the passwords are used for multiple accounts, the theft of one password can provide entry into multiple systems. And since users often use easy-to-guess passwords like their favorite football team or movie character, adversaries can simply employ brute force techniques where they systematically stuff popular passwords into login pages to gain access.
While some users have followed expert advice and opted for more complicated passwords with the help of a password generator, they remain at risk because the techniques previously mentioned (phishing sites and credential theft malware) simply don’t care whether the password is four or four hundred characters long.
Even password managers, which securely store passwords, aren’t a reliable solution. When a phishing email makes it to the inbox and a password is automatically submitted into a fake site by the password manager, the criminals still come out on top. These methods leave users and organizations thinking they are safer than they are. At the end of the day, authentication that relies on a “shared secret” can and will be hacked.
Understanding the alternatives
Given all the associated drawbacks of passwords, the headaches they create for users and the security risks and management overheads that organizations are burdened with – from password resets to account recovery – the search for more streamlined, secure ways to verify users and their identities should be a strategic security priority.
However, caution should still be exercised when considering alternatives that may appear to be “passwordless.” Any method that uses a shared secret can be hacked. Adding another safeguard to passwords in the form of multi-factor authentication (MFA) comes with its challenges. Besides the additional, often inconvenient steps it creates for users, legacy MFA approaches still rely on passwords as the initial security check, so the weak point in the security chain has not been removed.
Cybercriminals can hijack the password and the MFA codes via man-in-the-middle or man-in-the-endpoint attacks and then start a rogue session. Two shared secrets are not much more secure than one. Any MFA solution that relies on a second factor that can be stolen is simply not secure enough to outsmart modern attackers.
A truly passwordless approach removes both the security risks inherent in passwords and legacy MFA approaches that rely on passwords or other forms of shared secrets. A sound approach is to eliminate the password from the login flow, the application database and the account recovery flow and replace it with something inherently secure. The most reliable way to replace passwords is to use proven public/private cryptography so that no shared secrets are exchanged. This is the same approach used to protect financial transactions across the internet in the form of TLS. Transport Layer Security (TLS), indicated by the lock icon in the browser, proves the user is communicating with the legitimate server and that they are communicating over a secure/private channel. TLS uses public/private key cryptography to validate the server and to set up the secure communications channel.
Passwordless authentication based on public/private key cryptography securely stores the private key on the user’s device itself. The most secure solutions store the key in specialized hardware and are available on modern devices (PCs, phones, and tablets) so that the private key never leaves the device and remains unknown to all parties. The public key is made available to the applications a user wishes to access, but the public key cannot be used to access the system. During login, a certificate, signed with the private key is sent to the server where the public key is used to validate that the certificate was signed by the associated private key, thus confidently authenticating the user without any shared sacred secret exchange. Not even the user is made privy to the private key, so there is nothing that can be recorded and accidentally lost or passed on.
The risks posed by compromised credentials is one of the biggest threats facing organizations today. As more IT and security leaders come to realize and fix the security holes created by passwords, we stand a better chance of protecting against cybercriminals intent on hacking organizations and stealing data.
Replacing old solutions with passwordless technology is a fundamental way of strengthening an organization’s defenses, as well as eradicating the frustrations felt by users in the verification processes. The benefits of passwordless are already being recognized, and as traction increases, more businesses will join the move towards a safer future. We need to move rapidly towards a world where we never have to ask another user to create a password.