PASSWORDS have few admirers as an identity and access management technology, but viable alternatives are few and far between—or at least they have been until relatively recently. Biometrics and other technologies such as FIDO (Fast Identity Online), which uses public key cryptography for authentication, are on the verge of putting passwords and their many flaws to rest once and for all.
In May of this year, Apple, Google, and Microsoft announced a joint effort to expand support for FIDO, which was created by the FIDO Alliance and enables “websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.”
Jason Oeltjen, vice president of product management at authentication solutions vendor Ping Identity, called the announcement “a massive step toward a passwordless future” as it allows you to create a new account without ever needing a password and frees you from having to re-register every single FIDO account when someone loses a device.
Finding Shortcuts
A passwordless future will make life easier and more secure. Passwords cause a lot of frustration, so people base credentials on easy-to-guess words such as names of pets and relatives or keep passwords too long.
Kevin Higgins
“People are what make passwords weak,” says Kevin Higgins, senior consultant at cybersecurity company Optiv. “We are conditioned to choose passwords that are easy to type or remember, or to use certain patterns to create passwords.”
Having conducted hundreds of password audits, Optiv has identified various problematic practices that weaken passwords, Higgins says. Reusing them for multiple applications is a common one. “There are many cases of leaked credentials where you can tie a user’s organizational account to a personal account due to password reuse,” he says.
Another problematic practice involves password construction. People often repeat patterns such as “capitalizing the first character of your password and either ending with an exclamation mark or the numbers 1 or 9,” Higgins says.
Taking shortcuts when creating passwords weakens them, potentially giving hackers access to accounts containing sensitive data. “A weak password is very easy to steal, especially if it is stored in an email, an Excel file, or even in software code,” says Craig Lurey, co-founder and CTO of Keeper Security, a cybersecurity software provider.
Password theft happens all the time. Verizon, which publishes the yearly Data Breach Investigations Report, estimates that 61% of breaches result from stolen credentials. One relatively simple way to reduce that statistic is to require a second form of authentication—usually a one-time code sent to users by email, text, or a security device.
A Better Way
Two-factor authentication complicates the hacker’s job of breaking into an account, but users still must remember passwords. Oeltjen says biometrics—fingerprints, facial scans, and eye scans—and passwordless methods such as FIDO are better alternatives.
Face ID and fingerprint-based authentication are increasingly common in mobile devices. “They offer the best of both worlds, security and convenience,” Oeltjen says. “Cybercriminals often choose the path of least resistance. Passwords are low-effort targets that are relatively easy to capture. Passwordless options require much more expertise and time to hack.”
FIDO aims to increase security by using public key cryptography for authentication instead of passwords. When a user registers with a website or application, a key is issued for the user’s device and stored by the domain server. In subsequent logons, authentication occurs through communication between the server and the user’s device.
This takes the onus off the user for authentication and improves the experience. “I believe passwordless technology will reach wider adoption each progressing year because organizations realize their customer experience and security will improve dramatically by doing so,” Oeltjen says.
Whither the Password?
Eliminating the human factor from authentication, Higgins notes, is critical. He likes Yubico‘s approach, which uses a USB stick-like device called YubiKey to provide multifactor authentication directly to computers and smartphones rather than receiving a passcode via text or email. The user inserts the registered YubiKey into a USB and touches the device to verify they are a human and not a hacker or taps the YubiKey on an NFC-enabled phone to complete authentication.
“The challenge is trying to come up with a solution to remove passwords altogether,” Higgins says, which is not so easy. Otherwise, it would have happened already. “One challenge with biometrics and hardware key adoption has been a lack of standards,” says Lurey.
Jason Oeltjen
Legacy technologies and practices also get in the way. “Many organizations in critical industries, like healthcare, finance, and government, depend heavily on legacy equipment that doesn’t support newer authentication technologies. This equipment is critical to their back-end business processes, and it’s not feasible to replace it all at once,” Lurey says.
Oeltjen believes the elimination of passwords is simply too unfamiliar for some businesses. “Despite passwordless technology evolving and becoming ready for widespread adoption, the fear of change and organizational resistance is real.”
Replacing password-based authentication processes requires a massive overhaul for most companies, Higgins points out. “Even now, most organizations are still falling behind just implementing multifactor authentication properly for their applications. With large amounts of clients still playing catchup, things including YubiKeys, badges, and biometrics probably won’t be mainstream for a long time.”
While change is pretty much inevitable, there are steps organizations can take in short order to improve their authentication methods. “I would say that, in 2022, it is outright unacceptable for any application that stores or processes sensitive data to not support at least basic two-factor authentication,” says Lurey.
He continues, “Today, many devices come with a fingerprint reader. Hardware keys like YubiKeys can be used via USB on a laptop or via NFC on a mobile device. We support all of these at Keeper Security, and there is nothing preventing a savvy user from using them right now.”
Higgins says another relatively easy step organizations can take today is to implement a password manager, which stores all the credentials for a user’s accounts and generates strong passwords.
Password managers require users to remember only one password, but the technology has received criticism for creating a single point of failure. If a hacker gets access to the master password, they also gain access to all others.
Organizations can strengthen their security practices by using a combination of single sign-on (SSO), multifactor authentication, and risk scoring. Like password managers, SSO requires only a single password, but the addition of risk scoring techniques helps identify anomalies in user behavior to trigger an extra layer of authentication.
While the ultimate goal for organizations is to go passwordless, many of the transitional practices still require passwords. So, the journey will take time, and change will be incremental. “We should be mindful that passwords are not going away anytime soon. They are too ingrained in legacy applications and websites, and into how people think,” says Lurey.
PEDRO PEREIRA is a New Hampshire-based freelance writer who has covered the IT channel for two decades.
Image: iStock