Are We Ready for a Future Without Passwords?
By: Steven Anderson, Senior Security Consultant at CISO Global
Cybercriminals Rely on Weak Passwords and Bad Password Management
The challenge of creating the type of complicated passwords needed to keep sensitive data secure has been a defining feature of cybersecurity in recent decades. However, as daily — if not hourly — engagements with digital technology increase, it seems that the average person now has dozens of passwords to remember and keep up with.
The myriad of digital layers in our lives has only amplified the need for security around sensitive information. Unfortunately, as a result, we have created a complex dependency on passwords for just about everything.
How Effective Are Passwords?
As a security layer, passwords have provided protection for every imaginable interface for work and play. But some members of the information security community are turning their back on passwords for a good reason. They’re inherently weak, inconvenient, and prime targets for attacks. Last year alone, there were a record number of data breaches in the U.S. attributed to compromised credentials.
Recently, password manager LastPass was hacked for the second time in six months, with reports stating that an “unauthorized party” gained access to customer information stored in a third-party cloud service shared by LastPass and its parent company, GoTo. This breach represents a troubling trend in password management, but might actually signal an increased call for a future without passwords.
What Could a Future Without Passwords Look Like?
Removing passwords from the authentication equation might reduce more than 80% of data breaches that were a result of a weak password or stolen credentials. Because unfortunately, as fallible beings, the human element continues to cause breaches via stolen credentials, phishing, and simple (but costly) mistakes.
Authentication measures more robust than passwords could provide significant barriers to malicious actors, but it’s important to remember that as technology advances, so will hackers. The immediate goal of moving away from passwords would serve to:
- improve user experience
- prevent fraud
- reduce administrative and deployment costs
Fortunately, the beginning of the transition away from passwords, one-time passcodes (OTPs), and knowledge-based answers (KBAs) toward more secure, consumer-friendly, and cost-efficient authentication solutions is here.
Microsoft, Google, Apple: Building a Future Without Passwords
In an effort to secure sensitive user data, Microsoft announced that its users could go without passwords to access services like Windows, Xbox, and Microsoft 365.
Options such as the Windows Hello or Microsoft Authenticator apps use biometric data such as fingerprints or facial recognition to help users securely log in. Google asserts that it is building “a simpler and safer future — without passwords.” Google’s physical security keys and its Smart Lock app allows an individual to use a Bluetooth security key or set up the security key already built into a phone. As investments in cybersecurity culture continue to mushroom, it is projected that the “smart lock market will reach $5.53 billion by 2029.”
Google’s future without passwords asserts that “when you sign into a website or app on your phone, you will simply unlock your phone — your account won’t need a password anymore.” What makes this possible is that your phone will store a FIDO credential called a passkey which is used to unlock your online account.
Apple’s iOS 16 update aims to make passwords a thing of the past by using a biometric sign-in system that removes passwords completely. The “passkeys” mechanism is labeled as a safer and more secure alternative to passwords. This is because no matter how long or short your password is, it can easily be compromised. However, such things are not possible with a passkey, based on a two-factor authentication platform.
Apple’s devices have used Touch ID and Face ID features for several years. The company is also developing its passkeys feature to allow those same fingerprint or facial recognition tools to create logins without passwords for apps and accounts on iOS devices.
It is important to remember that hackers are clever. There are even signs that cybercriminals are keeping pace with this new technology, as they have shown the ability to exploit authentication mechanisms on the whole. So, while attackers may not be able to exploit your biometric data yet, they can still find ways around the hurdle. Bypassing of biometric access controls should not present additional concerns to the end user because authentication bypass attacks occur against authentication mechanisms that utilize passwords. This is not new and certainly not unique to biometric authentication. It is also outside of the end user’s control as it is generally determined by software implementation on the server side.
Further, much like the problem of protecting encryption keys in your environment, you have to think about how you, an app, or any other organization will protect biometric data during collection, storage, and use. A bad actor’s use of acquired biometric data should be of utmost concern to end users in this scenario. If a company that has your biometric data stored in a database is breached by an attacker, what are your options? Can you change your face and fingerprints? Do you use different fingerprintsfor different websites/services? If best practices were to switch completely from the “what you know, what you have, who you are” model to just a “who you are” model, my greatest concern would be that once a bad actor has what it takes to “be” you, they are forever “you.” So, if you are looking to incorporate use of biometric authentication into an application, well-planned security architecture and proper controls will be essential.
In short, while switching from password-driven authentication to biometric authentication may significantly reduce the risks associated with trivial attacks such as password guessing, password spraying, and password reset mechanisms, it does nothing to mitigate risks associated with insecure or vulnerable storage of authentication data. If biometric data falls into the hands of a malicious actor, you do not have the option of changing your fingerprints or changing your face.
While this is exciting news for people who are tired of trying to manage a laundry list of passwords to get through the day, it’s likely that widespread adoption may still take some time, even though implementation of this technology has already begun. Time is our friend, in this instance, because whilebiometric authentication looks to be the way of the future, there are still a number of longstanding security /technology / implementation risks that need to be addressed before such a switch is a feasible option.
Want to better understand how to safeguard your organization’s data and reputation against these and other cybersecurity threats? Reach out to CISO Global, Inc. today!