Everyone who has ever used an IT system in this age is familiar with the traditional authentication method used. We all know the story of usernames and passwords. From a user perspective, we know the frustrations such as memorizing passwords for countless sites and systems that we interact with. We know the exhausting cycle of setting, forgetting, and resetting passwords. From a security practitioner’s perspective, we all know the folly of passwords when it comes to protecting systems and data. They’re constantly re-used, weak, and exposed in countless breaches which adversaries then take and target other systems. Passwords are vulnerable to various attacks, ranging from social to more direct such as brute force and dictionary attacks.
Even in 2021, the IBM Ponemon Cost of a Data Breach Report cites that 20% of breaches are initially caused by compromised credentials and have an average total cost of $4.3 million for organizations that are impacted. Yet passwords still remain the primary method of authentication for countless systems and users. Of course, additional methods of security rigor are added, such as multi-factor authentication (MFA), which we have previously discussed.
Given the long history of vulnerability and associated data breaches, the world is increasingly moving towards a new future, a passwordless one. Enter Passwordless Authentication, a method where the user’s identity is authenticated without using a password. But how can this be!? Passwordless authentication utilizes familiar form factors which have been part of the security and technology lexicon for quite some time, such as biometrics, something you have, and adhoc links that help facilitate authentication.
Biometrics are essentially physical characteristics about a system’s user, such as their fingerprint or retina that uniquely identifies them. Something you have is based on the physical or logical possession of the user, such as a phone with an authenticator application like Google Authenticator or perhaps a security key from Yubico. It could also be a cell phone that receives an SMS code, although remember we’ve previously discussed the inherent flaws in the SMS approach. Lastly, many users are likely familiar with the One Time Password (OTP) email-oriented approach, where they receive a unique one-time key via email to help them authenticate to a system, which is also commonly used to support MFA.
While the above methods theoretically could support the shift away from the traditional use of passwords, one of the more prevalent passwordless specifications gaining hold is FIDO2 from the FIDO Alliance. FIDO2 combines what is known as Web Authentication (WebAuthn) and Client-to-Authenticator (CTAP). FIDO2 revolves around the use of cryptographically unique login credentials and FIDO security keys. The keys are unique to each site and FIDO2 is also being embraced by hardware providers such as the aforementioned Yubico.
Some of the world’s largest technology companies such as Microsoft are also working to “make passwords a thing of the past”. Microsoft is facilitating this shift through methods such as the Microsoft Authenticator app, Windows Hello, and others. Through the use of Microsoft Authenticator, users can shift away from the use of passwords and embrace passwordless authentication.
As previously mentioned, attacking the traditional authentication method of passwords is a go-to for malicious actors and hackers. Password compromise has long been involved in the compromise of countless accounts and data breaches. The embrace of passwordless doesn’t guarantee a future free of data breaches and account compromises but it does introduce a more secure method of authentication for users. Users won’t be reusing the same authentication code (their password) across countless sites and won’t be utilizing a code that is easily guessed through dictionary and brute force attacks. While there is no silver bullet in cybersecurity, there is an iterative approach to implementing robust cybersecurity practices, and the push for passwordless is another brick in that wall.