We asked Industry experts: Will a passwordless future help to ensure effective cybersecurity? Here’s what they said:
James Dawson, Cybersecurity Solutions Engineer, Varonis
There are some inherent problems with passwords:
- Many people use passwords that are weak. One study found 81% of hacking related breaches used stolen or weak passwords
- Passwords are relatively easy to steal. Either through social engineering or because people store them insecurely or write them down because they have difficulty remembering a complex password.
- People often re-use passwords. If a poorly designed website stores member passwords in clear-text and is then the victim of a data breach, the attackers have a good chance of being able to access many other services using the same username/password combination.
- The weaknesses of passwords are a driving factor behind the rise of multi-factor authentication and password managers. These both increase security however, they are merely a patch for an already weak system.
- We should move away from ‘something you know’ to ‘something you have’ or ‘something you are.’ Alternatives that will ensure adequate security in the future:
- Biometrics – fingerprint, voice, face, iris, heartbeat– fingerprint readers and face-ID are already widely used on smartphones and tablets and are becoming more common on laptops. Biometrics cannot be stolen and are much more difficult to copy.
- One-time passwords. Systems that send a one-time password to your phone are more secure than weak passwords, but if your phone is stolen, someone would then have access to your accounts.
- A hardware token, such as a key fob or smartphone.
- Software tokens as used in asymmetric cryptography.
- Biometrics – fingerprint, voice, face, iris, heartbeat– fingerprint readers and face-ID are already widely used on smartphones and tablets and are becoming more common on laptops. Biometrics cannot be stolen and are much more difficult to copy.
- Several individuals and organisations have ‘predicted’ the end of passwords, from Bill Gates, to IBM most notably, however, so much of our IT infrastructure is built around passwords as an authentication method.
- They are still very simple to implement, cross-compatible with many different systems, users know how to use them and they don’t require expensive or difficult to access hardware to work, unlike biometrics and hardware tokens. But they are a weak form of authentication security and we are moving away from them slowly.
- A passwordless future will eventually become reality – though it will likely take longer than we think, it will ensure more effective cybersecurity.
Jeremy Daly, Cybersecurity Product Manager at DDLS
Passwords have been around for millennia – there are references in the bible, and every child knows how Ali Baba opened the magical cave by uttering ‘open sesame’. The modern computer password was introduced in 1960 by Fernando Corbató, a computer scientist at MIT.
Today, passwords have become somewhat of a nuisance, especially for IT professionals. Organizations would be lost without access to the many online resources they use day-in-and-out for work, but they also need a long list of passwords to protect each of them.
The password is the most problematic item which affects most people when using computers. For many years we have had to contend with short complex passwords which are easy for a computer to hack but difficult for us humans to remember.
IT professionals spend many hours managing these lists of employee passwords. According to a survey undertaken by LastPass, a provider of identity and access management technology, IT managers today spend an average of five hours per week managing passwords.
Passwords are far from perfect. Password compromises are estimated to be the root cause of 80% of all data breaches. Ninety two percent of respondents to the LastPass survey believe passwordless authentication to be the way forward.
Some key alternatives to passwords include:
- Biometric authentication – enabling employees to securely authenticate and bypass typing in a password by using their face or fingerprint.
- Single sign-on, which eliminates the need for employees to use multiple passwords by using only one set of credentials to give them access to all resources. This way, we only have to remember a single SSO system password.
- Moving on to a token system: often Smart Cards, RSA SecurID or SafeWord Tokens. Smart Cards and physical Tokens are becoming very scarce these days, with ‘soft tokens’ becoming more common. Most of us already use soft tokens when using Internet banking; where we log on using a (usually numeric) ID and short password (as banks are still frequently using mainframe computers for authentication) but the more secure part is when we get a numerical token on our mobile phone which we need to enter in order to complete the authentication.
- Federated identity, which integrates with an existing IT ecosystem and user directory login details, so users need only one password to unlock their work.
While passwordless might be the way forward, it won’t be easily, or completely, achieved. Seventy four percent of organizations in the Lastpass survey thought their end-users would prefer to continue using passwords, because they were familiar with them.
Respondents also identified challenges in the deployment of a passwordless authentication model: the initial investment required to implement such a system; regulations around the storage of the data required; and the time taken to migrate users to a new system.
When you consider all these alternatives, it would certainly be possible to have a passwordless authentication system in the future. For example, instead of using a traditional password, a combination of a digitally-recorded signature, and biometric scan can provide more security than a password ever could, with just as much ease.
We already live in a world where passwords are no longer required; all we do is need to convince companies to replace passwords with other factors and we are effectively password free.
Afterall, it is more secure to use a PIN or facial recognition when logging on to a Windows 10 computer than it is to use a password. Why? We must be in front of the computer to use a PIN or facial recognition, whereas a password can be captured and used remotely.
Venu Vissamsetty, Vice President Security Research at Attivo Networks
Passwordless authentication is an authentication mechanism where users can authenticate without typing in passwords, 2FA, or one-time passcodes. Passwordless authentication is common in newer versions of smartphones that support Touch ID and Face ID and allows login without typing passwords.
Eliminating passwords minimizes the risk of breaches and lowers the cost of ownership. It reduces the burden of managing password policies, password expiration, password reset, etc. Due to complex password policies, people tend to reuse passwords across different accounts.
Passwordless authentication helps organizations defend against:
- Brute force attacks: Attackers use a combination of various passwords to gain account access.
- Credential Stuffing attacks – is a type of attack where compromised credentials are used to gain unauthorized access using automation
- Password spray attacks – is an attack that attempts to login to a large number of accounts with few commonly used passwords
- Spear Phishing attacks – are email spoofing attacks where users are convinced to provide user login credentials.
Passwordless authentication works well for end-user authentication. Most of the vulnerabilities associated with passwords will decrease as there are no credentials to steal or hack and improve overall cybersecurity
Organizations also deploy a large number of non-human accounts known as service accounts. Windows systems use managed service accounts to deploy services, cloud providers need service accounts to run workloads, provide permissions to service accounts to access cloud resources, etc.
An attacker who gains access to these service accounts will have full access to resources that the service account has access to. Organizations should complement passwordless authentication by deploying a central secret vault store and rotate secrets for service accounts. Rotating secrets for service accounts minimizes risk and improves organization security.
While passwordless authentication and central vaults significantly reduce the risk, organizations should be on the constant lookout for ransomware and other forms of attacks that propagate inside the network after stealing user identity. Attackers, once they get a foothold on the endpoint, quickly map and enumerate the environment, locate mapped network shares, domain controllers, access to cloud infrastructure, etc.
Attackers can compromise service accounts, perform exploitation to gain remote access and deploy ransomware across the network. Impersonating service accounts using Keberos Silver Ticket attack is one of the popular attacks performed by attackers.
Similarly, the recent CVE-2020-1472 ZeroLogon vulnerability allows attackers unauthenticated access to domain controllers. A pair of zero-day vulnerabilities in Google Chrome (CVE-2020-15999) and Microsoft Windows (CVE-2020-17087) are being chained together and exploited to gain administrator access to a system. Organizations investing in passwordless authentication should continue to focus on detecting and minimizing damage from attackers targeting post-authentication exploitation. Nevertheless, of these attacks, passwordless authentication is a good beginning to eliminate and reduce the attack surface and improve cybersecurity.
Mark Sinclair, Regional Director Australia, New Zealand and Pacific Islands, WatchGuard Technologies.
Start a conversation about IT security and it won’t be long before the subject of passwords is raised.
A cornerstone of security infrastructures for years, passwords when used as the sole authentication method, have become a real security challenge for businesses. This is mainly due to the inherently insecure nature of passwords. Lax practices such as writing them down and never changing them can make them a relatively easy gateway into centralized IT resources.
As a result, some vision a passwordless future where other security measures will take their place. If replaced by just biometrics or a hardware token then it is still only offering a single factor of authentication. While probably better than a password, these still fall well short of strong authentication.
To secure business assets, strong authentication should feature multiple factors of authentication:
- Something you know (a password or a PIN)
- Something you have (a security token or smartphone)
- Something you are (a biometric)
- Somewhere you are (geolocation)
A layered approach
Passwords are destined to remain key when creating secure infrastructures, but will represent just one component of a more sophisticated authentication process.
For this reason, ensuring passwords remain secure is important. Some of the steps that can be taken to ensure this include:
- Use long passwords of more than 16 characters to improve their security against brute-force attacks
- Consider using non-English words to help guard against so-called ‘dictionary attacks’
- Adopt a password manager to avoid having to remember large numbers of individual passwords for different applications
The importance of multi-factor authentication
An effective layered approach to security uses multi-factor authentication (MFA). Passwords are one element of MFA which also requires other factors such as a generated PIN or fingerprints and facial scans.
It’s important to note, however, that not all MFA platforms are created equally, and some are more secure than others. For example, the most common approach – where a user receives a text message containing a generated code that must be entered to gain access to a system – has a weakness because it is possible for a hacker to intercept the message and gain access.
A much better approach is to adopt a push notification-based solution. This approach makes use of an encrypted channel to send authentication request verifications to a user’s smartphone. Because of the way in which this notification is sent, it is significantly more secure than a text message-based equivalent. It is also just as convenient.
To make things even more secure, organizations can require users to use a third type of authentication when requesting access. For example, users may need to enter a password, a secure push notification and offer a biometric factor such as fingerprint. All three must be provided before any access is granted.
While there may initially be pushback from users when required to take these extra steps, the additional security they provide is well worth the effort. Take the time to explain to your IT users why the new requirements are being put in place and the benefits that they deliver.
Maintaining passwords as part of an MFA-based authentication system makes sense and is likely to remain the best approach for organizations for some time to come. If you are still relying on passwords alone, now is the time for change.
Thomas Fikentscher, Regional Director ANZ, at CyberArk
My short answer is ‘it will help, but it’s certainly not a panacea’. My longer answer is somewhat more nuanced.
We believe the real benefit of a passwordless future will be to provide a better user experience and in turn organizations will be more inclined to reinforce cybersecurity protocols.
Working backwards, we all know that although business users are told to use strong, complex and individual passwords, many reuse existing passwords or create weak and easy to remember passwords – all of which are a gift for cybercriminals. Multi-factor authentication was introduced to overcome these limitations, asking users for both a password and a code from an app on their phone or some form of biometric authentication like a thumbprint.
The problem with this approach is some organizations worry that the additional steps can impact productivity, particularly for developers and cloud architects who rely on speed and agility. But these same developers and architects are often the most privileged users within an organization and therefore the most attractive shortcut for attackers.
In this respect, passwordless solutions which grant access according to permission or something that can’t be obtained by anyone other than the correct user (such as biometric identification) can encourage stronger cybersecurity practices as they don’t get in the way of agility. It also reduces the risk of passwords being stolen via sophisticated cyberattacks involving credential harvesting, which commonly start with phishing attacks or using a weak or re-used password. After all, if a user is never exposed to the password in the first place, passwords can’t be stolen.
Despite this, passwordless solutions aren’t a panacea for several reasons.
First up, when it comes to securing access to extremely sensitive assets (like access to the root account of a newly provisioned machine or a service account running mission critical services) stronger security controls than ordinary passwordless tools provide are needed.
Access to tier 0 and tier 1 systems, which contain the most critical assets in an organization (for example, a tier 0 would be a core banking system of a major bank and a tier 1 an asset like a core database which supports a Tier 0 system) should be protected with a comprehensive Privileged Access Management (PAM) solution. These solutions can vault and isolate credentials so users never know them – making them passwordless – but also provide additional layers of security like session monitoring, recordings and analytics-based threat detection.
Secondly, the world of cybersecurity is a constantly evolving and transforming space. While we may be moving to a world where passwords are no longer the weakest link, the reality is that as one issue is addressed, another might take its place. In a passwordless world, organizations then must consider how they manage the security of biometric data in a way that is privacy compliant. This then has its own complexities and challenges.
Any true passwordless solution has to rely on strong cryptographic standards such as certificates and combine user identities with contextual information such as device fingerprints and security posture.
A topic for another day perhaps.
Craig Searle, Director, CyberSecurity Consulting (Pacific), Trustwave
The history of cybersecurity is the history of silver bullets promised, but never delivered. Passwordless authentication is the next such silver bullet: a bright, shiny antidote for the complicated and enduring problem of secure access.
The issue of secure access has grown more urgent with the rise of work-from-home and research showing that the majority of breaches continue to be caused by social engineering and credential theft.
The stealing and cracking of passwords is central to this issue since despite an increased focus on cyber hygiene people understandably skew the balance of secure access in favor of access which means duplicated passwords and sloppy practices.
Passwordless authentication promises to nail that balance by ensuring both ease of use and security, but even one of the leading organizations encouraging a passwordless evolution has recognized that an entirely passwordless future isn’t just around the corner.
Their research, a survey of 750 IT professionals, showed both the problem of passwords (a 25% increase from 2019 of manager time dealing with password issues) and the likelihood that ‘passwords are not going away completely’ (85% reported this).
Frankly, the impediments to passwordless adoption (mainly time, money and other resources) were cited as substantial by nearly half the respondents.
This is understandable since the big challenge with passwordless authentication is that a given user’s entire password ‘ecosystem’ also needs to be passwordless (or otherwise very secure) in order for the solution to be truly effective.
Consider the following problems:
- Passwordless app emails a one-time link to a designated email account, but the user has a poor password to protect their email
Because of the legacy approaches to passwords and authentication, it is very difficult for users to eliminate all of the weak links in the authentication chain. And it is exactly those weak links that are what we see as being the most frequently targeted by attackers.
So what should users do if they want to start moving to passwordless authentication? While it might seem a little counterintuitive, the first step is to cease the use of ‘simple’ authentication regimes or at the very least ensure only multi-factor authentication regimes are used.
Once that is done, then the user can have great assurance that the passwordless regimes that may leverage that authentication ecosystem are not undermined by poor security controls.
Dongle/Yubikey password devices can be great from a security perspective, but difficult from a mass adoption perspective. They can also be just another thing for someone to remember and may not be universally workable because of different port configurations. Corporate culture matters too. We did some research that indicated that having company branded password devices seemed to work because it denoted status, but this wasn’t universal, and in some sense the rise of extra factor (SMS, OTP, TOPP and now Push auth requests) are filling the gap adequately for the vast majority of people.
So while passwordless is definitely in our future, before it comes, and for long after, embracing the boring stuff like good cyber hygiene practices will be the way to go.
Joon Hyuk Lee, APAC Market Development Director, FIDO Alliance
Passwords are vulnerable and a shift away from them is a must for robust cybersecurity. According to the World Economic Forum, the average consumer keeps track of more than 191 pairs of usernames and passwords. The challenge is that passwords are hard to remember and keeping track of hundreds of passwords make it almost impossible. This is why most people tend to reuse the same passwords, or they make minor variations of a few passwords. Currently, about 80% of data breaches occur due to poorly managed, easily guessed or stolen passwords.
In the IoT space, there is a greater need for passwordless authentication. IDC estimates that there will be 41.6 billion connected IoT devices globally by 2025, opening up opportunities for increased efficiencies. Yet, lack of IoT security standards and typical processes such as shipping with default password credentials and manual onboarding leave devices, and the networks they operate on, open to large-scale attack.
In recent years, MFA was introduced. In MFA, another element – such as an OTP – other than the password itself, is needed to authenticate the user. This was thought to be bullet-proof as there is an additional layer of security. However, password-based MFA can still be compromised. Even time-synchronized OTPs are vulnerable, as they leverage the same shared-secret approach that passwords use, which are susceptible to hacking and phishing attacks.
One possible solution is passwordless MFA standards. FIDO Alliance, for instance, developed an MFA standard that can help thwart attacks while delivering a secure and user-friendly experience. The alliance – industry consortium with 250 plus member and partner organizations around the world – was founded in July 2012 with the goal to develop open industry standards for simpler, stronger authentication, while addressing the problems users face with managing multiple usernames and passwords.
FIDO’s standards are designed around public key cryptography and the way it works is pretty simple. A pair of keys is generated when a user registers with an online service. The public key is then used to verify the private key in a two-step authentication method – a process that guards information from unauthorized revelation and access as only the user has access to the private key, which cannot be tracked by hackers and the information never leaves the local device.
Users can then have more control during their logins and don’t have to worry about account takeovers. More importantly, these standards are phishing-proof.
The FIDO standard has already been adopted by companies around the world, including major technology vendors like Apple, Dropbox, Google, Twitter and LINE. Most of us may already be using these seamless and secure login methods when we login to our email accounts or access our bank accounts online.
Bill Gates said way back in 2004 that passwords cannot meet the challenge of keeping critical information secure. He predicted the demise of traditional passwords and the decreasing reliance on passwords then. Yet, passwords continue to be used even to this day, despite many industry experts agreeing that they should be replaced.
We have made some progress in reducing the reliance on passwords but more still needs to be done. It is crucial for companies to continue educating their users and stakeholders on the risks of traditional passwords and the importance of moving to a passwordless future. Only then can a better and more secure user experience be realized. This future is already within reach – backed by leaders in their field and supported by devices all over the world – now all we have to do is take the next step.