Is Passwordless Authentication the Future?
Each year on the first Thursday in May, World Password Day promotes better password habits. Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, dating, banking, social media, private work, and life communications.
According to the World Economic Forum (WEF), cybercrime is set to cost the global economy $2.9 million every minute in 2020 and some 80% of these attacks are password-related. Knowledge-based authentication – whether with PINs, passwords, passphrases, or whatever we need to remember – is not only a major headache for users, it is costly to maintain, says the WEF. And for larger businesses, it is estimated that nearly 50 percent of IT help desk costs are allocated to password resets, with average annual spend for companies now at over $1 million for staffing alone.
The path forward, says the WEF report, is with passwordless authentication. "Forward thinking security professionals are currently asking 'if compromised passwords defeat the very purpose of authentication, protecting sensitive data, then why not eliminate them?'" Some industry leaders are pushing for stronger authentication standards, such as FIDO alliance (who promises simpler, stronger authentication), and are advocating for the elimination of passwords altogether," says Arun Kothanath, Chief Security Strategist at Clango.
Fausto Oliveira, Principal Security Architect at Acceptto, says that passwordless is not the future. "It’s what we need now. Every year, security incidents continue to occur due to account takeover and the causes are well known. The most relevant of them is credential hijacking which accounts for approximately 80 percent of attacks," he says.
In the past, he notes, the focus on password complexity encouraged credential re-usage and increased the total cost of ownership (TCO) associated with password resets and Helpdesk calls without improving overall security. In general, he says, "any binary authentication, such as passwords, two-factor authentication (2FA) and some multi-factor authentication (MFA), including biometrics, are susceptible to fraud due to their binary nature. The industry needs to move away from passwords and start adopting passwordless solutions that do not threat authentication as a single event with a simple yes or no at point of entry, but as a continuum where user good behavior is constantly verified. It’s time to finally make World Password Day a thing of the past."
Tim Wade, Technical Director, CTO Team at Vectra, however, says that while passwordless authentication is admirable and authentication systems solely based on passwords have been, and will continue to be, abused, "it’s important to consider that an effective authentication system must also account for effective credential revocation and replacement as much as credential strength – there are few things more trivially revoked and replaced than the knowledge inside someone’s head. At the risk of unpopularly defending the merits of passwords, they may continue to have a role to play in strong, robust, multi-factor authentication systems even as they’re replaced as the sole (or even most important) anchor of authentication.”
Before we can eradicate passwords, claims Kothanath, we must ask ourselves “is the world ready for a passwordless universe?” Kothanath believes we are.
"Modern Multifactor Authentication (MFA), Risk Based Authentication, etc. are focusing on increasing the trust in the authentication system. When you don’t trust the static hash called a "password," what could replace it? The answer is trusted devices. Reliance on devices that can be trusted, such as a smart phone or a wearable, introduce another level of complexity that reduces the probability of that identity being compromised by an attacker. Smart phones, wearable devices and more are gaining the popularity to replace clumsy, password-based systems," Kothanath adds.
Implementing passwordless authentication platforms tend to be more complex in comparison to their credential-based counterparts, but the end user experience on a large-scale deployment is much simpler and more likely to be immediately adopted, Kothanath claims. "These devices and the data they collect and store, are becoming part of your digital identity. Your smartphone holds a number of attributes (phone number, IMEI number, carrier information, digital certificates, GPS location, manufacturer information, CPU unique ID, etc.) which can be used to uniquely authenticate you, negating the need for a password."
It is extremely difficult to compromise these devices, he says, and technology is available today to enhance the security and reliability of device-based authentication. "As the value of the target asset increases, there can be other trusted devices, such as a Yubi Key and other hardware-based tokens, which can be governed under much tighter controls. All of this is trending towards a cutting-edge, identity-based authentication system and privilege management approach to eliminating passwords from the security equation," Kothanath notes.
Finally - regardless of what's next for passwords - World Password Day is a day to review your password hygiene to ensure you are up to date with the latest best practices, claims Joseph Carson, chief security scientist and Advisory CISO at Thycotic.
But, if you have not combined it with another security control such as two-factor authentication, you’re leaving the door wide open, putting yourself at risk of identity theft, ransomware, an online account hack, computer viruses and more, Carson warns. "It is also important when you do change your password to only perform this task from a safe network and not a public location," he adds.
This year, review your password best practices, Carson advises. "Ensure that you have started to use passphrases to help make your password long and include some complexity as well, although the debate about how frequent you should change your password continues," he says. "My recommendation is that it should not be older than one year. It’s best not to wait until you are notified about a data breach as it usually means cybercriminals had access for longer than two hundred days.”