Why it’s time to move towards a passwordless future
Adversaries don’t need to use sophisticated methods to gain access to enterprise systems or to deploy ransomware – they can just buy or steal credentials and log in.
By burdening users with the near-impossible task of maintaining “secure passwords,” businesses ultimately give people a huge and unfair level of responsibility for security. As a result, many organizations are relying on what amounts to a roll of the dice to protect themselves and their customers from attackers.
Band-aids don’t fix bullet holes
The Verizon Data Breach Investigation Report and study after study remind us that passwords – also known as “shared secrets” – are a fundamentally insecure method of validating users and the single largest vulnerability for organizations.
Unfortunately, most organizations put the burden on their users to mitigate the risks associated with password use: they require their employees or customers to create longer/stronger passwords and force frequent password changes.
This does not fix the issue and creates a very frustrating user experience. In fact, recent research revealed that the average person uses 100 passwords – a daunting task for anyone. It’s hardly surprising that mistakes are made and that an element of fatigue sets in.
What’s more, this approach to security means the user is also responsible for keeping all their relevant personal information secure, even when security breaches mean billions of personal data records, passwords included, are readily available on the dark web.
“Strong” passwords are a myth
To be clear, there is no such thing as a “secure password.” Adversaries use social engineering techniques to trick users into handing over their password or deploy malware to steal them. Even if an employee or customer follows all the advice provided and chooses a “long, strong password,” it doesn’t matter. This outdated advice is predicated on the fact that it is harder to “crack” (decrypt) stronger passwords. Instead of “cracking” passwords, adversaries simply steal them when they are already unencrypted. Adversaries deploy malware on the endpoint or use adversary-in-the-middle (AitM) techniques. Malware is equally able to steal a three-character password or a three-thousand character passwords (whether it includes special characters or not).
Thus, mixing letters and symbols and constructing the perfect twelve character password does nothing to solve the issue: there are social engineering techniques and readily available tools that make it easy to steal “strong” passwords. Therefore, assuming your organization or your customers will be safe if they use longer, stronger passwords is a myth. As long as passwords remain in use, they will be stolen and used to commit cybercrime in all its forms.
Limitations of password managers
About the only thing an end user can do to partially protect themselves is to choose a unique password for each account. This can limit the attacker’s ability to use the password-stuffing approach, i.e., the attacker using stolen credentials for one account and try to use them on various other accounts. This technique is often successful because employees and customers often use the same password across multiple sites.
Enter password managers. This approach has grown in popularity because it enables users to create and store unique passwords for all their many applications, systems and services. Thus, if their password from Facebook is stolen, the adversary cannot use it to log into their bank. However, it doesn’t fix the inescapable shortcomings of the password approach. It limits password reuse attacks but does not stop the other attacks noted above.
Password managers do nothing to prevent an attacker-in-the-middle or an attacker-on-the-endpoint tactics. The same login flow is there, the only difference is that that password comes from the password manager versus the user typing. It also does nothing against a social engineering attack – the user can still open that password manager, look at the password and give it to the bad guy.
But password managers have another drawback: they massively concentrate the risk. Since all the user’s passwords are stored in a single database in the cloud and on the user’s device, the potential impact of a breach is far greater. And password managers protect the password database with – you guessed it – a password! If an attacker is able to steal this main password, they have access to all your passwords. In December 2022, for example, password manager LastPass was hacked, with attackers taking off with, among other things, backups of customer vault data.
Ultimately, password managers don’t provide the level of security required for today’s connected economy. So, what’s the alternative?
The problem with MFA
MFA is often hailed as a solution for password vulnerability. Instead of requiring a single password, users are asked to enter multiple pieces of information to verify their identity and access their accounts. However, first generation MFA is weak as it often adds another easily hacked factor.
For example, one-time passwords sent over email or SMS and magic links are easily phished, and push notifications are subject to social engineering tactics such as “prompt bombing” attacks where the adversaries send multiple requests to the users who suffer from “push fatigue”. Attackers have open source tools that make it extremely easy to bypass first-generation MFA, making it clear that two weak factors don’t make for a strong security solution.
The future is passwordless, phishing-resistant MFA
A fundamental change in approach is required to protect employee and customer accounts and to remove the burden on end users. Organizations globally are making a concerted effort to implement next generation, secure authentication technologies. Many are moving to passwordless and phishing-resistant authentication approaches that combine public key cryptography with the built in biometric authentication available on modern devices. This provides two very strong phishing-resistant factors.
Solutions employing the FIDO2 (Fast Identity Online) standard will provide the foundation for the next generation of passwordless, phishing-resistant MFA. FIDO-based solutions use passkeys – public/private key cryptography that is already globally deployed in Transport Layer Security (TLS, a.k.a the lock in the browser) to ensure private communications between users and websites. This approach alleviates the risk of man in the middle attacks.
Solutions that also ensure that private keys are stored in a Trusted Platform Module (TPM) – an international secure cryptoprocessor which is built into modern endpoint devices – significantly mitigate man-on-the-endpoint attacks.
By relieving users of the responsibility for securing sites, services and apps, organizations can deliver a transformational boost to the weakest links in cybersecurity. In a world where the growth of password-dependent digital services continues to be matched by the success of bad actors, this represents a win-win for security teams under pressure to deliver better protection without impacting the user experience.