One of the biggest security risks for modern businesses is the extensive use of passwords as the main authentication method for various applications. When the technology was first developed, passwords were seen by individuals and businesses alike as a surefire way to secure access to sensitive systems and data. Today, however, the drawbacks behind this type of authentication are quite obvious: it not only makes life more difficult for the user, it also creates a false sense of security and leaves huge holes in the company’s defenses.
For this reason, many companies have started to shift towards passwordless technology. However, there is still some confusion about what exactly qualifies as “passwordless” authentication. Some solutions that may claim to fall into the category simply save the password and enter it on behalf of the user or replace it with something also insecure like a magic link or one time password.
Understanding what really constitutes a passwordless solution is the first step in the shift towards a more secure future for enterprises, as well as eliminating the frustrations and time-consuming processes that trapped users are required to do simply to verify their identity.
The dangers behind passwords
Passwords are one of the most common ways for criminals to hack business networks and consumer accounts. In fact, Verizon’s 2021 Data Breach Investigations report found that 61 percent of breaches over the past year involved login credentials, and hasibeenpwned currently lists more than 11 billion compromised accounts.
The main drawback is that passwords are a “shared secret”. This means that both parties to the exchange are in the secret (password) and have stored it. These passwords are stored in a database by the app, which makes them an obvious target for cybercriminals. Passwords become the proxy identifier for users, and users often choose passwords that relate to something in their lives, including important names and dates, to make it easier to remember. But this makes it easier for adversaries to guess their passwords and gain access to sensitive data.
Over the recent years, criminals have become more successful than ever in tricking their targets into handing over their login details for different accounts. They have posted fake websites that mimic the real website which can steal the password and then log the hacker into the legitimate website. They also designed malware that runs on the user’s device and steals credentials when the user types them. If passwords are used for multiple accounts, stealing a single password can provide entry to multiple systems. And since users often use easy-to-guess passwords like their favorite soccer team or movie character, adversaries can simply use brute force techniques as they systematically stuff common passwords into login pages to gain access to them.
While some users have followed expert advice and opted for more complex passwords with the help of a password generator, they remain at risk because the previously mentioned techniques (phishing sites and credential-stealing malware) simply don’t care whether the password is four or four hundred characters.
Even password managers, which store passwords securely, are not a reliable solution. When a phishing email arrives in your inbox and a password is automatically sent to a fake site by a password manager, the criminals stay ahead. These methods make users and organizations think they are more secure than they are. At the end of the day, authentication based on a “shared secret” can be compromised and will be compromised.
Understand the alternatives
Given all the flaws associated with passwords, the headaches they create for users and the security risks and administrative expenses that organizations incur – from password resets to account recovery – finding more streamlined and secure ways to verify users and their identities should be a strategic security priority.
However, care still needs to be taken when considering alternatives that may seem “without a password”. Any method that uses a shared secret can be hacked. Adding another password protection in the form of Multi-Factor Authentication (MFA) comes with its challenges. Besides additional steps that are often inconvenient for users, legacy MFA approaches still rely on passwords as the initial security check, thus the vulnerability in the security chain has not been removed.
Cybercriminals can hijack the password and MFA tokens via man-in-the-middle or man-in-the-endpoint attacks and then start a rogue session. There are two common secrets that are no safer than one. Any MFA solution that relies on a second factor that can be stolen is simply not secure enough to defeat modern attackers.
A passwordless approach truly removes both the security risks inherent in passwords and legacy MFA methods that rely on passwords or other forms of shared secrets. A proper approach is to remove the password from the login flow, application database, and account recovery flow, and replace it with something that is inherently secure. The most reliable way to replace passwords is to use proven public/private encryption so that no shared secrets are exchanged. This is the same approach used to protect online financial transactions in the form of TLS. Transport Layer Security (TLS), denoted by the lock icon in the browser, proves that the user is communicating with the legitimate server and that they are communicating over a secure/private channel. TLS uses public/private key cryptography to validate the server’s health and to set up a secure communications channel.
Passwordless authentication based on public/private key encryption stores the private key securely on the user’s own machine. The most secure solutions store the key in specialized hardware and are available on modern devices (computers, phones, tablets) so that the private key never leaves the device and remains unknown to all parties. The public key is provided to the applications that the user wants to access, but the public key cannot be used to access the system. During login, a certificate signed with the private key is sent to the server where the public key is used to verify that the certificate was signed by the associated private key, thus authenticating the user with confidence without any shared sacred secret exchange. The user isn’t even told the private key, so there’s nothing that can be logged, lost, or passed on by mistake.
The risks posed by compromised credentials are one of the biggest threats facing organizations today. As more IT and security leaders realize and fix vulnerabilities created by passwords, we stand a better chance of protecting against cybercriminals intent on hacking organizations and stealing data.
Replacing outdated solutions with passwordless technology is an essential way to strengthen an organization’s defenses, as well as eliminate user frustrations with verification processes. The benefits of not using passwords have already been recognized, and as the attraction increases, more companies will join the move toward a more secure future. We need to move quickly towards a world where we never have to ask another user to create a password.