Bill Gates predicted the demise of the password in 2004. Over a decade and a half later, are we really any closer to its foreseen death?
Password use is an established part of our daily processes. We rely on them to access applications and services in both our work and personal lives. They are the lock and key to our digital identities and personal data, and are therefore one of the primary causes of costly breaches. While for users the password is a simple, convenient, seemingly cost-effective crucial layer of security, the password has also been the bane of IT security professionals.
CIOs and CISOs are faced with the task of both managing and supporting password use across enterprises. A large part of IT help desk responsibilities is allocated to dealing with credential resetting, replacement and revocation. One of the greatest frustrations for IT security professionals is user negligence towards modern password requirements and policies. With exponential growth in online data processing and increasingly frequent breaches, password policies have become progressively more strict as a measure of mitigation, with a focus on password complexity and uniqueness. Workers typically snub ‘good password’ practices because they are prone to choose convenience over security and only meet the minimal requirements of enforced security policies by choosing short and memorable passwords.
Enforcing password security policies in the workplace is especially difficult when users are often guilty of credential reuse across a number of platforms, websites and applications. Password reuse is typically a symptom of password fatigue - where a user feels overloaded with the number of passwords to remember, especially when they are required to create complex passwords in frequent rotation. Credential reuse is a major contributing factor to a growing attack surface as the breach of a single account or application subjects the entire enterprise to a catastrophic domino effect, letting application after application fall. This malpractice also increases the user and their entire organisation’s vulnerability to credential stuffing, as cyber criminals curate the login credentials from past breaches and inject these username/password combinations into their targeted accounts.
Users adopt these lax password practices because they are not easily persuaded to trade their comfort for greater security. Most people are not motivated to change their password habits because they are unaware of the realities of data breaches and have not felt that their personal data was at risk. But how can you compel your users to protect personal and enterprise data? You cannot wait for the portents of a security incident or a breach itself to scare users into adopting good behaviours.
This is why emerging identity verification methods redistribute the trust placed solely on users and IT security professionals into user-friendly systems and devices. Passwordless authentication eliminates the frustrations for users and professionals alike by using alternatives to textual passwords as methods of verification.
But which passwordless authentication method has the potential to finally render the password obsolete? Let’s consider the options here:
Multi-Factor Authentication (MFA):
While two-factor authentication (2FA) and MFA methods are convenient and prevalent methods of identity verification, they work in conjunction with passwords, as an extra security barrier to unwanted access. During the sign-in process, users are asked to present two or more pieces of verification evidence. Like other methods of passwordless authentication, they rely on the user to provide a combination of identity factors such as: things you have, things you know, things you do, things you are or where you are.
Once a user enters their password, they are then sent a single-use numerical code via SMS, or asked to answer a secret question, e.g. ‘What was your mother’s maiden name?’ Once these extra pieces of evidence have been presented, the sign-in process is completed. MFA decreases the probability that an account is being compromised but only replaces passwords in the sense that they are not the primary measure of security. They are typically easy to use and implement, and are reasonably cost-effective.
Risk-Based Authentication (RBA):
RBA solutions are used as an Identity and Access Management (IAM) technology that takes into account the context of the user’s log-in and provides a risk-score based on the situation. If the system flags the situation as high-risk, the user is subject to stricter verification methods, such as 2FA or MFA. For example, if a user takes more time than usual to type their password out or attempts a log-in from two different locations within a short amount of time, these situations are flagged as higher risk and the user is subjected to MFA or SMS-based authentication. If the log-in is seen as low-risk, the user can authenticate their identity using a single password. RBA is effective because it monitors behavioural patterns and consults of a broader pool of contextual information to encourage better user practices.
Physical Token Authentication:
Hardware tokens are security keys - typically in the form of a USB. The user inserts this token into their device and is granted access to the system. While this removes the need to memorise textual passwords and information relevant to MFA security questions, physical tokens are still fairly inconvenient. You cannot verify your identity without having the token on your person, and security keys are too easily misplaced or stolen. Once the physical token is lost, credentials must be revoked and replaced.
Biometrics are a compelling route for passwordless authentication and make for an interesting user experience. Biometric verification relies on unique identifiers, like physical and behavioural features. These include voice recognition, facial scanning, fingerprinting, heart monitoring and other biological distinguishers like hand geometry.
It is an easy to use solution, but like all verification methods, biometric verification comes with its flaws. While each individual has their own unique biometrics, this does not mean the solution is unhackable. In the event that facial recognition or fingerprint data is stolen these credentials must be completely revoked within the given system.
Biometrics are also notoriously inaccurate at times. Fingerprint scanning only involves reading partial prints and can therefore be fooled. Facial recognition systems are also known to have gender and racial bias, hindering their ability to accurately detect female faces and those with darker skin tones. In addition to inaccuracy, face scanning is also threatened by extreme improvements in deepfake technology that can trick the system.
However, as this field becomes more sophisticated with the help of Artificial Intelligence (AI) powered systems, biometric verification can become a very promising avenue as an alternative verification method.
Passwordless Email and SMS Authentication:
Both email and SMS based authentication methods use an existing logged-in session on one device to allow streamlined user access on a different device via a time-sensitive, single-use link or code. The user may receive a notification alerting them to authenticate the new session e.g. ‘You are logging into your account from an iPhone in Coogee, NSW. Allow?’ These tokens grant the receiving device with long-time verification and develop a trusted network of devices that can be added or removed by the user.
Again, these methods rely on verifying one’s identity in the existing session - meaning the user still requires their password. While these methods are becoming increasingly popular, they are still at risk of being compromised in the same ways passwords can be alone. If a user is a victim of social engineering and divulges their password, then these single-use tokens can easily be stolen. The email link tokens or SMS codes can also be intercepted by a hacked mail server or rerouted to a cyber actor’s fake cellular tower.
So which solution will be the definitive end of the password?
None of these solutions can work in isolation. Like textual passwords, all of these methods have their own flaws, and can be dangerous when used as a single solution.
Evidently, all passwordless authentication methods are still dependent on passwords to act as gatekeeper to some degree. While the password is seemingly undying, improvements in AI and machine learning powering biometrics and behavioural pattern recognition forward, we might see massive changes in user reliance on passwords in the very near future. When considering the implementation of passwordless authentication within your enterprise, recognise that each workplace demands a dynamic and layered solution.
For now, IT security professionals recommend layering passwordless solutions or IAM in conjunction with increased awareness about good security practices. User motivation can be a serious detriment to any organisation’s security processes and a cybersecurity culture should be encouraged. In order to develop and enforce security awareness, consider implementing IAM tools, such as risk-based authentication, as these technologies continuously verify good user behaviour. Intuitive, streamlined methods, like biometrics, make passwordless adoption convenient and are consequently more enticing to use effectively.Password managers are also championed by IT security professionals as an added trusted system that enables user convenience. While they are password-centric in use, they are still a highly convenient way to secure credentials in combination with another solution.
Overall, end users should collaborate with administrators to protect and manage their digital identities. The onus of managing hordes of digital identities needs to be shifted into IAM to optimise the management of user identities. IAM allows for this shift of trust onto systems rather than individuals, and the added measure of freedom present in passwordless authentication methods can be very advantageous in helping end users secure a system and increase productivity.
For assistance implementing any of the above solutions, please contact our cybersecurity specialists by clicking below.