Passwords, or In-The-Past Words?
Are passwords a thing of the past? Well to be honest, no not yet they aren’t, but there seems to be a widespread initiative to cram them into a time capsule, move into the future, and forget about them altogether. From post-it notes to password managers, to any of the other tools or tricks that people use to remember them, passwords are renowned for being a weak point in the grand scheme of security.
What’s wrong with passwords?
Are they long enough? Are they complex enough? Are they being changed often enough? Are you being careful not to reuse them anywhere? With the rise of phishing attacks and data breaches to insane levels, it seems more and more the wrong people are getting a hold of our passwords. As the number of online accounts we have grows, password fatigue becomes a reality for more and more of us and may lead us to take shortcuts that compromise our security. Password managers are a nice alternative, but with reports of even password managers suffering from data breaches, I think the security community at large has decided that we need a change. We should move away from the classic username and password as the only thing used to secure data.
MFA (Multi Factor Authentication)
What about multi factor authentication? Usernames, passwords, and MFA are absolutely a step in the right direction, but you still have to manage all those passwords for all those accounts. Additionally, text message (SMS) being used as MFA isn’t as secure as we once thought it was (for more, see this link: https://www.lookingpoint.com/blog/login-security-multi-factor-authentication).
The Alternatives
What if you didn’t need to rely on a password to prove who you are. How would you do it?
- Biometrics: Biometric authentication methods, such as fingerprint, facial recognition, or iris scanning, use unique physical characteristics to verify a user's identity. These methods offer a high level of security and convenience, as they cannot be easily replicated or stolen.
- Security Keys: Security keys, hardware tokens, or USB keys, provide an additional layer of security by requiring users to possess a physical device to authenticate. These devices generate one-time codes or cryptographic signatures, making them resistant to phishing attacks and other forms of cyber threats.
- One-Time Passcodes (OTP): OTPs are temporary codes sent to a user's registered device via SMS, email, or authenticator apps. Unlike static passwords, OTPs expire after a single use, reducing the risk of unauthorized access even if intercepted by attackers.
- Smartphone-based Authentication: Leveraging the ubiquity of smartphones, this approach involves using push notifications or mobile apps to authenticate users securely. Users receive a notification prompting them to approve or deny access, adding an extra layer of verification.
Typically, using a combination of these techniques are thought to surpass the security of a password alone and make up what we would call passwordless authentication.
Benefits
How would going passwordless help? Let us count the ways.
- Enhanced Security: By eliminating the reliance on static passwords, passwordless authentication mitigates the risk of credential theft, phishing attacks, and brute-force attacks, basically taking the wind right out of those hackers’ sails!
- Improved User Experience: Passwordless methods streamline the authentication process, providing a more seamless user experience. Users no longer have to remember complex passwords or undergo tedious password resets, resulting in increased productivity, satisfaction, and let’s face it…WAY less frustration.
- Cost Savings: Passwordless authentication can lead to cost savings for organizations by reducing helpdesk requests related to password management, minimizing the risk of data breaches, and avoiding potential financial losses associated with security incidents.
- Compliance and Regulation: Passwordless authentication aligns with various regulatory requirements and industry standards, such as GDPR, HIPAA, and PCI DSS, by offering stronger security measures to protect sensitive data and personal information.
Challenges
Although it was all the way back in 2022 that Apple, Google, & Microsoft announced plans to expand support for a common passwordless standard, why aren’t we there yet? A LOT of progress has been made, but there are still a few hurdles for us to clear.
- Compatibility and Integration: Organizations may face compatibility issues when integrating passwordless solutions with existing systems and applications, requiring careful planning and investment in technologies that are compatible with all systems and users.
- User Acceptance: Some users may be hesitant to adopt passwordless authentication due to concerns about privacy, reliance on personal devices, or unfamiliarity with new authentication methods. Educating users and addressing their concerns is crucial for successful implementation.
- Security Risks: While passwordless methods offer enhanced security compared to traditional passwords, they are not immune to vulnerabilities. Organizations must continuously evaluate and update their security protocols to mitigate emerging threats and vulnerabilities. If there’s one thing we can be sure of, it’s that “the baddies” will continue to poke and prod at any security method out there and find ways to exploit weaknesses for their own gains. We can all cheer on our buddies wearing the white hats and hope they find any weaknesses first and let the right people know so they can be addressed before it becomes an issue in the wild, but we need to accept that no security method is invulnerable.
- Single Point of Failure: Depending on the chosen method, passwordless authentication may introduce a single point of failure, such as a compromised biometric template or lost hardware token. While implementing multi-factor authentication (MFA) can help mitigate this risk, it’s something that needs to be thought out before adoption.
Moving From the Past(words) to the Future
As we all go forward into the future, I personally love the idea of a world without phishing (and passwords, to be honest). My suggestion would be to give it a try and ease into it. If you have a Google account, you can try setting up a passkey and see how you like it, Apple uses a passcode, and Microsoft offers instructions on how to go passwordless. You can get more information on the Fast Identity Online (FIDO) Alliance at fidoalliance.org as well.
LookingPoint offers multiple IT services if you’re interested. Want more information, give us a call! Please reach out to us at sales@lookingpoint.com and we’ll be happy to help!
Ryan Alibrando, Managed Services Team Lead