The password isn’t going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.
But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal apps and services.
Microsoft is not alone. At the 2022 Worldwide Developers Conference, Apple announced that when it launches iOS 16 and macOS Ventura, the operating systems will boast passwordless logins. Users will have the option to log in to websites and apps with ‘Passkeys’ instead of using passwords. According to the company, Passkeys create new digital keys that use Apple’s Touch ID or Face ID.
Why the Move Toward Passwordless Authentication?
In essence, the key driver for the shift is too many passwords for us to remember. In a 2020 Tech.co report, users were managing about 100 passwords. With that many to remember, anything that reduces complexity is welcome. But that complexity often comes at the expense of security.
Here’s a scary stat: a Specops Software survey found that almost 30% of respondents do not use more than one password for their accounts. Yes, you read that correctly: they use the same password for all their accounts. Most also admitted they use versions of the same password across all their accounts.
The question is, are you any more secure just because your enterprise has gone passwordless?
Short answer: not really. There are major big-picture concerns about passwordless authentication.
Just ask expert Roger Grimes. Grimes, the author of Hacking Multifactor Authentication, spoke with me about everything you need to know about the passwordless world.
Question: What are the risks of passwordless authentication?
Grimes: A lot of the passwordless options are really single-factor authentication or 1FA. Just because people see passwordless, they think they’re using multi-factor authentication (MFA). In general, single-factor is never as good as multi-factor. The whole idea behind MFA is to provide two different forms of authentication.
The far more concerning risk is that a lot of passwordless solutions are easily phishable. I can trick you into going to a man-in-the-middle website, where I send you an email or a website link. It tricks you into wanting to use this passwordless authentication, and you think you’re going to this intended location. But really, you’ve been tricked into clicking on the soundalike or lookalike link that takes you to some other location.
So you use your passwordless option. But it’s really allowing the attacker from the man-in-the-middle website to take over your session. They can capture everything. Once you’ve successfully logged in using a passwordless authentication token, the website will send you back an access control token, which is the text-based cookie.
If they capture that, they can put that cookie in their browser and take over your session after you’ve successfully authenticated.
Remember, many passwordless options like FIDO prevent that sort of man-in-the-middle attack. But, every MFA can be hacked. Probably 90-95% of them are susceptible to this man-in-the-middle attack, and many passwordless options are susceptible to it.
So you’ve gone through all this heartache to move from password to passwordless, but I’m still capturing it and getting around it like it was a password. It’s a lot of work, effort, cost, money and frustration to not get the main perceived benefit of using MFA or passwordless.
Does going passwordless make you safer?
Not if you’re using a solution that’s susceptible to easy phishing. You shouldn’t use it.
The whole reason we’re moving people from passwords to something else is essentially to cut off the phishing avenue. And if I can phish you with your passwordless solution, what have we gained?
How to Select a Passwordless Authentication Option
How should organizations choose a passwordless option?
When you go to choose an MFA option, try to choose one that is phishing resistant. If you’re stuck with an easily phishable option, see if you can convince the vendor to implement features that make it less phishable. Then sometimes it’s literally just implementing the right feature.
I think the main part is having general awareness for every stakeholder:
- People that are selecting MFA
- People that are evaluating MFA
- The implementers
- The operational staff
- The buying staff
- C-level staff
They need to be aware of their solution’s strengths and weaknesses and then be educated about the common attacks against their solution type and how to avoid them. That’s at the bare minimum. It’s about education.
Another thing is understanding that implementing FIDO isn’t easy. But you know, if you’re going to go to MFA or passwordless, why not do it? Why move from passwords to passwordless and get only a marginal improvement in safety? Why do it when you can make the same effort and go to something that’s phishing resistant and get significant protection?
Writer’s note: Grimes mentioned YubiKey as a solid solution, especially with the FIDO option.
Other Options for Password Management
What about password manager apps?
I think everybody should use one. Your biggest risk of passwords is that the average person has four to seven passwords that they share over every website. Every year, a couple of those websites get compromised, and those compromised passwords are used against them.
I always recommend using phishing-resistant MFA where you can. Where you can’t, use a password manager to create your login name and password.
I have friends without a lot of computing power who are routinely cracking and guessing 18-character passwords today, routinely, every day.
So a password manager is going to create a complex and perfectly random password to match whatever the maximum length is for the site or service you’re using. It’s unguessable and uncrackable against all known current adversaries.
The significant threat of the password manager is that it’s a single point of failure, which is a big risk. But for them to compromise your password manager, usually they have to compromise your desktop, and that’s game over anyway because, at that point, they can just key-log you. So it’s a concern. If malware starts to attack password managers, that would be another worry, but it isn’t a concern yet.
The benefits of using a password manager for the average person far offset the risk.
Apple Sets a Unique Precedent
With the Apple announcement, is the password finally dead?
Like all new authentication solutions, the proof is in the pudding. Moving beyond passwords to something better is always a good move, and I highly support it.
But biometrics in practice aren’t nearly as secure as they claim. Your fingerprint may be unique on the Earth, and your face may be one in a million, but how those biometric traits are recorded and used are far, far less unique.
I have people who email me all the time whose young child walked by their phone or laptop who get logged in as them, and certainly, to humans, these two human beings don’t look the same.
I’m continually surprised by how many [chief information security officers] and people who aren’t familiar with the strengths and weaknesses of biometric solutions as we implement them think they are the Holy Grail of authentication. The people who know a whole lot about biometrics value them less, and vice versa.
Another big problem with all non-password solutions is none of the proposed solutions work with even 2% of the world’s sites and services. It’s one big chicken and egg problem. The promise of MFA or passwordless solutions is that we can supposedly have a passwordless solution to replace the insane number of passwords we have to create and use today. But the reality is that we all now have a growing number of MFA and passwordless solutions on top of a ton of passwords. It’s even worse than before.
Every time I hear passwords are going away, I want to buy stock in a password manager company.