“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” — Clifford Stoll We use keys to unlock doors and use locks to protect our private properties. In the digital world, we do the same. While keys have many “forms,” the most common one is still the password. Passwords have been used as the foundation of authentication for years. While passwords are still a large portion of our cyber landscape, they have been on the decline for more than a decade. But eventually, we will face a time when the password is no longer proof of our digital self. Principally, using a password to get access to a system is a method of authentication. According to authentication is when the user provides a credential to the system to prove the identity. Authentication factor can be of the following types: (ISC)² CBK | Common Body of Knowledge — ISC2, Something you ARE Something you HAVE Something you KNOW Using a password is an example of . It is a mechanism of having one factor of authentication. A system relies on a secret that the login users must memorize and exhibit to prove their identity. This case may seem straightforward enough, but it has profound implications. Something you KNOW The Problem with Passwords Simple authentication methods that solely require username and password are intrinsically vulnerable. Attackers could guess or steal credentials and gain unauthorized access to sensitive information and systems using various techniques, including: — using programs to generate random username/password combinations or exploit weak passwords like “123456.” Brute force attacks — using fake emails or text messages to trick a victim into replying with their credentials Phishing — intercepting communications traffic (over public WiFi, for example) and replaying credentials Man-in-the-middle attacks — injecting stolen or leaked credentials from an account to log in to other accounts that belong to the same user (people often use the same username/password combination for multiple accounts) Credential stuffing — installing malware/ hardware on a computer to capture username/password keystrokes Keylogging Password Fatigue Today, we all rely on various apps to perform our jobs. By that, we are forced to memorize and track all the login credentials for each one of them. Moreover, changing passwords frequently is tiring for us in front of a computer. Flooded by password sprawl, users take risky alternatives like applying the same password weak passwords, repeating passwords, or posting passwords on sticky notes. Bad actors can take advantage of the l in password management to install cyber-attacks and data theft. Compromised of data breaches. oose cyber hygiene practices credentials to get unauthorized access is a major cause (80%) Why Passwords Die Hard For years, the security industry has been producing multiple authentication alternatives to substitute passwords as the norm. These solutions span the technological spectrum: Something you HAVE: Proximity badges, physical tokens, or USB devices (FIDO2-compliant) Software tokens or certificates A mobile phone application (SMS, One-Time-Code (OTC)) Something you ARE: Biometrics — Fingerprint, palm, voice or facial recognition, or retina scanning But the question is, with so diverse, considerably more secure choices available, why are passwords still around? Three drivers are retaining passwords from exiting the stage. 1# Cost — Password is Cheap Most applications and online tools now come preset with password-based authentication by default. Companies let their networks and IT departments set up to support this system of identity management. Renovating authentication protocols often need time and a substantial initial investment. For example, using security tokens as an alternative requires purchasing and distributing physical/ software devices to all users. 2# UX — User Likes Routines Users get used to the way password authentication works and made passwords part of their routines. Putting a new form of securing digital identities is often met with resistance. Training or education program is required to deploy the alternatives for password successfully. 3# Not Everything Can Start Over or Reboot If your password is stolen, you can reset it immediately to prevent further damage. But for the others, it may not be the case. Say your fingerprint data was stolen online. You can only use another finger for authentication in the future if you revoke the first one. The physical token also needs to return it and map a new one to resume your authentication. That is why, ultimately, the password is the fallback plan for most of the applications. The Future-ready Authentication A password-free authentication that would become the replacement should be ready to tackle the three drivers. To simply put, it should be cost-effective and easy to use. Passwordless Authentication First, with passwordless authentication, there are no passwords to memorize or security question answers to remember. As a result, users would not have password fatigue. Unlocking your phone with your fingerprint is faster and easier than type-in the password. Besides, the complexity of your fingerprint data is natively higher than the 8-digits password. Moreover, to enhance security further, (MFA) is often deployed in conjunction with passwordless authentication. For example, when you log in to a web application online and prove your identity using a biometric method on your phone, you are using MFA at once: multi-factor authentication Something you ARE — fingerprint or facial recognition Something you HAVE — your mobile phone Push-based Authentication This password-free, mobile-based system, ordinarily in downloadable apps, does the authentication automatically, only requiring the user to respond to a secured push notification. Also, push harnesses the user’s mobile phone as an authenticator, meaning that no secondary devices are required. You’ve probably seen that for Gmail. Google provides push-based authentication Adaptive Authentication The latest MFA solutions support That is the one using including location, time-of-day, IP address, device type, and business logic, to decide which authentication factors to apply to a particular user in a specific situation. adaptive authentication methods. contextual information, Adaptive authentication balances practicality with security. Let say an employee is allowed to work from home for a period. And he accesses the company network from one external location consistently from his home address. The first-time login could be a combination of multifactor authentication and activity monitoring for IAAA purposes. But later on, the to simplify his/ her daily workflow. That user would be under supervision, but he can focus on his work instead of remembering various login secrets. authentication process could “step down” In another scenario, an employee accessing an enterprise application from a trusted machine might be required to provide only one authentication method. However, to access a foreign country's application over an untrusted WiFi connection, . the user might also enter a token code as supplementary (step-up) Final Words Passwordless Authentication provides a variety of practical and business benefits. — by eliminating password and password fatigue. Improve user experiences — by eliminating bad cyber hygiene of password management and reducing the risk of credential theft and impersonation. Strengthen security Today, with the risk of a data breach and identity theft firmly in public awareness, organizations and individuals alike will have to start thinking more seriously about supporting their authentication. Companies and users need to understand that while passwords are becoming more obsolete by the day, there are robust, user-friendly options for replacing this outdated method. Before that day comes, you can . learn more about how to create a strong but memorable password from my previous HackerNoon post Thank you for reading. May InfoSec be with you🖖. Also published here.

No Password is Better than A Strong Password

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

161 Stories To Learn About Authentication

3 Reasons for B2C Enterprises to Implement Single Sign-on Authentication

4 Dangers of Sticking with Outdated MFA Methods

The Noonification: Tailwindcss? Ill Pass (8/27/2023)

80% Devices in 2023 Are Already Passkey-Ready: Apple, Microsoft, and Google Pushing It Even Higher

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

161 Stories To Learn About Authentication

3 Reasons for B2C Enterprises to Implement Single Sign-on Authentication

4 Dangers of Sticking with Outdated MFA Methods

The Noonification: Tailwindcss? Ill Pass (8/27/2023)

80% Devices in 2023 Are Already Passkey-Ready: Apple, Microsoft, and Google Pushing It Even Higher

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps