Passwords have been the cornerstone of digital security since time immemorial. They are such a critical aspect of our security infrastructure and practices that we have an entire day, the first Thursday of May, dedicated to raising awareness about the importance of setting strong passwords and maintaining good online security habits. Unfortunately, passwords are also considered to be one of the biggest security weak links. A recent report by Verizon found that compromised passwords are involved in 81% of all data breaches. As cyberattacks and criminals become increasingly sophisticated with each passing day, adopting the latest technological developments to hone their skills, and the need for stronger and more secure authentication methods have become imperative.
Enter passwordless authentication, a new way to authenticate users without the need to enter passwords every time.
Why do we need passwordless authentication?
In a password-based authentication process, regardless of whether multi-factor authentication (MFA) has been adopted, the first step involves the user entering their username and password, which serves as proof of their identity.
However, this process has two major disadvantages. The first problem arises when users choose weak and predictable passwords. Weak passwords can be easily guessed, stolen, or hacked, leaving sensitive data vulnerable to cybercriminals. More than 24 billion login credentials are already available in the public domain, according to research by Digital Shadows. Password reuse is also a common problem, as users often use the same password for multiple accounts. This makes it very easy for cybercriminals to gain access to multiple accounts with just one stolen password.
The second problem arises when even after choosing strong passwords, users fail to remember them. Having to constantly reset passwords can quickly lead to frustration which can then make people careless about where they store their passwords. You’d be surprised at how fast an annoyed user can abandon security for the sake of convenience and store their passwords in an Excel sheet! This frustration and carelessness can then bring us back to square one, where users set easy and predictable passwords just so that they don’t forget them easily.
Coming back to multi-factor authentication, although it certainly helps to have an additional layer of security, MFA adoption rates have been abysmally low. Microsoft engineers reportedly said that 99.9% of the compromised accounts they track every month don’t use MFA. More importantly, MFA is also not immune to cyberattacks as hackers have discovered multiple ways, such as MFA bombing and man-in-the-middle attacks, to capture MFA details, such as any one-time passwords (OTPs) sent during the validation process. According to a recent study by SecureAuth, security experts are also worried about the risks associated with traditional MFA, with 55% reporting that relying on OTPs using texts and phone calls leaves them open to cyberattacks.
Removing the password barrier
These challenges can be eliminated with the adoption of passwordless authentication methods. In addition to providing a more convenient and user-friendly authentication experience, passwordless login methods also significantly reduce the risk of cybercrimes and data breaches.
These new authentication methods use alternative forms of identification, such as biometrics, hardware tokens, and passkeys. Biometric authentication uses unique physical characteristics such as fingerprints, or facial recognition to authenticate users. Hardware tokens are physical devices that generate one-time passwords (OTPs) or cryptographically signed messages. Passkeys, also known as FIDO2 keys, are small USB or NFC devices that allow users to authenticate without the need for a password.
The Fast Identity Online (FIDO) alliance is an open industry association that was established to develop and promote awareness about authentication standards that help reduce the world’s over-reliance on passwords. The alliance has developed a global authentication standard known as FIDO authentication, which forms the foundation for passkeys. The unique selling proposition of passkeys is that they are strong, phishing-resistant, and are designed so that there are no shared secrets. Passkeys are essentially a pair of cryptographic keys—a public key and a private key—generated by the user’s authorized device.
Any application or website that the user wants to log into stores a copy of the user’s public key when they log in, but the private key is stored only on the authorized device. After this device validates the user’s identity, usually with the help of biometric authentication tools, the two keys come together to grant access to the desired destination.
The security advantages of adopting passkeys are multifold. Passkeys cannot be guessed or shared between users as they are a unique combination of cryptographic keys. Further, they are resistant to phishing attempts because they’re unique to each site or app that the user wants to access. As a result, they won’t work on fake or look-alike sites and applications. To top it off, all these capabilities also mean that passkeys cannot be stolen by hacking into a company’s server or database.
It is not surprising then that many tech companies are now deliberating making passkeys available to their users. Apple has made passkeys available to its iOS 16 users for a while now, and Google just took its step into the passwordless future by announcing that its users can now use passkeys to log in to their Google accounts across all platforms.
Making the transition to a passwordless world
The choice to adopt passwordless authentication depends upon the needs of the organization. It’s not a one-size-fits-all solution that can be quickly implemented without much forethought. It depends upon the IT security strategy, needs, and budget of an organization and requires a detailed plan before implementation.
While it may seem like a daunting task, it can be executed smoothly with the right approach. Here are a few suggestions to make the transition easier:
1. Start small: Begin with a pilot program to test the new authentication method before rolling it out to the entire organization.
2. Educate your users: Provide training and resources to help employees understand the benefits and proper usage of the new authentication method.
3. Use a phased approach: Roll out the new authentication method in phases, starting with low-risk applications and select departments and gradually moving to higher-risk ones.
4. Offer continuous support: Provide support and resources to those who might need assistance with the new authentication method.
5. Monitor and evaluate: Continuously monitor and evaluate the new authentication method to ensure it is effective and meets the needs of the organization.
Any change or modernization is met with apprehension and resistance in the beginning, but don’t let it deter your efforts. While passwords may have been the default go-to until now, the rate of data breaches we’re witnessing and the rapid pace of advancements in cybersecurity threats mean that organizations need to adopt more secure authentication practices quickly. Whether or not passkeys truly take over for passwords is yet to be seen, but organizations need to prepare themselves for a future when passwords become obsolete and passwordless authentication is the order of the day.