Passwordless – distant future or real opportunity?
Passwords are a method of securing access to information that has been used for decades in IT, and since the dawn of time in general. This is because access to systems must be limited to authorized users only, and relying on something the user knows is an effective way to keep out intruders. However, for a number of reasons, passwords are no longer very effective and create many problems for users and organizations. They are often easy to guess. They can be stolen. They are difficult for users to remember, especially when users have multiple passwords for multiple systems.
In many ways, this is not a technological problem; it is a human problem. Many of the challenges associated with passwords can be attributed to human nature. Some of these challenges can be solved with policy changes:
- No reuse of passwords. This prevents an attacker from being able to access multiple systems with a single stolen password.
- Complexity requirements. Requiring users to use passwords that cannot be easily guessed increases the difficulty for attackers to break into systems.
Unfortunately, users commonly use the simplest passwords and/or a single password for multiple systems. The main reason for this is the difficulty of remembering dozens of passwords for multiple sites. As a result, people now tend to find the easiest way that doesn’t require them to remember anything. Not to mention that simple authentication methods that only require a username and password combination are inherently vulnerable to attacks.
Attackers can guess or steal credentials and gain access to sensitive information and computer systems using a variety of techniques, including:
- Brute-force – using programs to generate random username/password combinations or exploiting common weak passwords such as 123456.
- Credentials Stuffing – using stolen or leaked credentials from one account to gain access to other accounts (people often use the same username/password combination for multiple accounts).
- Phishing – using fake emails or text messages to get the victim to respond by providing their credentials.
- Keylogging – installing malware on a computer to capture keystrokes associated with a username/password.
- Man-in-the-middle attacks – intercepting communication streams (for example, over public Wi-Fi) and replaying credentials.
To remedy this, 2-Factor Authentication was introduced and the more advanced Multi-Factor Authentication forces users to enter or display the correct pre-set identification for successful access. You can rely on 2 (2FA) or 3 (MFA) of the following:
- Something you know: password or PIN.
- Something you have: a mobile phone or security token.
- Something you are: fingerprint or FaceID.
- Something you do: typing speed, location information, etc.
Unfortunately, despite the high level of MFA-type security, they significantly hamper the work of their users. Undeniably, their constant maintenance results in loss of operational efficiency in companies (where it is crucial). Moreover, 2FA and MFA still require users to remember passwords. Therefore, they do not solve the problem where users no longer want to remember and manipulate them too much.
This is where passwordless authentication comes in handy.
Passwordless authentication increases security by eliminating risky password management practices and reducing the attack surface. It also improves user experience by eliminating the need to remember dozens of passwords or where to store them. With passwordless authentication, there are no passwords to remember or answers to security questions to memorize.
Benefits of passwordless authentication
Users can conveniently and securely access applications and services using other authentication methods such as:
- Improves the user experience – eliminating password and secret fatigue and providing unified access to all applications and services.
- Strengthens security – eliminating risky password management techniques and reducing credential theft and impersonation
- Simplifies IT operations – eliminating the need to issue, secure, rotate, reset and manage passwords.
However, there is no rose without thorns – passwordless credentialing has its drawbacks, which make it still a relatively rare solution. The main downsides of the solution are:
- Passwordless solutions rely on passwords as a fallback – even though the use of passwords is not a “front” – you can’t do without them.
- Credentials are usually still required to authenticate the system at some stage in the security chain – for example, as an alternative solution.
- Due to the complexity of implementation, they are incomparably more expensive than “good old” password solutions
Considering the above – we cannot yet talk about fully password-free authentication and information protection. MFA solutions provide a wide range of authentication possibilities, but the password is always present at some stage. This situation causes many organizations to stay with password methods – focusing on proper password policies and user education (which is always a good idea).
In our opinion, passwordless authentication is still a mirage, just like fully intelligent AI. Nevertheless, we already recommend implementing a 2FA or MFA solution – in the era of digital crown jewels, every layer of access validation is worth its weight in gold!