“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” — Clifford Stoll
We use keys to unlock doors and use locks to protect our private properties. In the digital world, we do the same. While keys have many “forms,” the most common one is still the password.
Passwords have been used as the foundation of authentication for years. While passwords are still a large portion of our cyber landscape, they have been on the decline for more than a decade. But eventually, we will face a time when the password is no longer proof of our digital self.
Principally, using a password to get access to a system is a method of authentication. According to (ISC)² CBK | Common Body of Knowledge — ISC2, authentication is when the user provides a credential to the system to prove the identity. Authentication factor can be of the following types:
- Something you ARE
- Something you HAVE
- Something you KNOW
Using a password is an example of Something you KNOW. It is a mechanism of having one factor of authentication. A system relies on a secret that the login users must memorize and exhibit to prove their identity. This case may seem straightforward enough, but it has profound implications.
The Problem with Passwords
Simple authentication methods that solely require username and password are intrinsically vulnerable. Attackers could guess or steal credentials and gain unauthorized access to sensitive information and systems using various techniques, including:
- Brute force attacks — using programs to generate random username/password combinations or exploit weak passwords like “123456.”
- Phishing — using fake emails or text messages to trick a victim into replying with their credentials
- Man-in-the-middle attacks — intercepting communications traffic (over public WiFi, for example) and replaying credentials
- Credential stuffing — injecting stolen or leaked credentials from an account to log in to other accounts that belong to the same user (people often use the same username/password combination for multiple accounts)
- Keylogging — installing malware/ hardware on a computer to capture username/password keystrokes
Password Fatigue
Today, we all rely on various apps to perform our jobs. By that, we are forced to memorize and track all the login credentials for each one of them. Moreover, changing passwords frequently is tiring for us in front of a computer.
Flooded by password sprawl, users take risky alternatives like applying the same password weak passwords, repeating passwords, or posting passwords on sticky notes.
Bad actors can take advantage of the loose cyber hygiene practices in password management to install cyber-attacks and data theft. Compromised credentials to get unauthorized access is a major cause (80%) of data breaches.
Why Passwords Die Hard
For years, the security industry has been producing multiple authentication alternatives to substitute passwords as the norm. These solutions span the technological spectrum:
Something you HAVE:
- Proximity badges, physical tokens, or USB devices (FIDO2-compliant)
- Software tokens or certificates
- A mobile phone application (SMS, One-Time-Code (OTC))
Something you ARE:
- Biometrics — Fingerprint, palm, voice or facial recognition, or retina scanning
But the question is, with so diverse, considerably more secure choices available, why are passwords still around? Three drivers are retaining passwords from exiting the stage.
1# Cost — Password is Cheap
Most applications and online tools now come preset with password-based authentication by default. Companies let their networks and IT departments set up to support this system of identity management.
Renovating authentication protocols often need time and a substantial initial investment. For example, using security tokens as an alternative requires purchasing and distributing physical/ software devices to all users.
2# UX — User Likes Routines
Users get used to the way password authentication works and made passwords part of their routines. Putting a new form of securing digital identities is often met with resistance. Training or education program is required to deploy the alternatives for password successfully.
3# Not Everything Can Start Over or Reboot
If your password is stolen, you can reset it immediately to prevent further damage. But for the others, it may not be the case. Say your fingerprint data was stolen online. You can only use another finger for authentication in the future if you revoke the first one.
The physical token also needs to return it and map a new one to resume your authentication. That is why, ultimately, the password is the fallback plan for most of the applications.
The Future-ready Authentication
A password-free authentication that would become the replacement should be ready to tackle the three drivers. To simply put, it should be cost-effective and easy to use.
Passwordless Authentication
First, with passwordless authentication, there are no passwords to memorize or security question answers to remember. As a result, users would not have password fatigue. Unlocking your phone with your fingerprint is faster and easier than type-in the password. Besides, the complexity of your fingerprint data is natively higher than the 8-digits password.
Moreover, to enhance security further, multi-factor authentication (MFA) is often deployed in conjunction with passwordless authentication. For example, when you log in to a web application online and prove your identity using a biometric method on your phone, you are using MFA at once:
- Something you ARE — fingerprint or facial recognition
- Something you HAVE — your mobile phone
Push-based Authentication
This password-free, mobile-based system, ordinarily in downloadable apps, does the authentication automatically, only requiring the user to respond to a secured push notification.
Also, push harnesses the user’s mobile phone as an authenticator, meaning that no secondary devices are required. You’ve probably seen that Google provides push-based authentication for Gmail.
Adaptive Authentication
The latest MFA solutions support adaptive authentication methods. That is the one using contextual information, including location, time-of-day, IP address, device type, and business logic, to decide which authentication factors to apply to a particular user in a specific situation.
Adaptive authentication balances practicality with security. Let say an employee is allowed to work from home for a period. And he accesses the company network from one external location consistently from his home address. The first-time login could be a combination of multifactor authentication and activity monitoring for IAAA purposes.
But later on, the authentication process could “step down” to simplify his/ her daily workflow. That user would be under supervision, but he can focus on his work instead of remembering various login secrets.
In another scenario, an employee accessing an enterprise application from a trusted machine might be required to provide only one authentication method. However, to access a foreign country's application over an untrusted WiFi connection, the user might also enter a token code as supplementary (step-up).
Final Words
Passwordless Authentication provides a variety of practical and business benefits.
- Improve user experiences — by eliminating password and password fatigue.
- Strengthen security — by eliminating bad cyber hygiene of password management and reducing the risk of credential theft and impersonation.
Today, with the risk of a data breach and identity theft firmly in public awareness, organizations and individuals alike will have to start thinking more seriously about supporting their authentication.
Companies and users need to understand that while passwords are becoming more obsolete by the day, there are robust, user-friendly options for replacing this outdated method.
Before that day comes, you can learn more about how to create a strong but memorable password from my previous HackerNoon post.
Thank you for reading. May InfoSec be with you🖖.
Also published here.