We asked industry experts if a passwordless future will help to ensure effective cybersecurity. Here are their responses:
Bill Mrochek, Head of Product, IAM, JumpCloud
Yes, a passwordless future helps to ensure effective cybersecurity.
MIT and Bell Labs introduced password security in the 1960s, but the concept dates back centuries. As children, many of us read Ali Baba and the Forty Thieves and remember the passphrase ‘Open Sesame’. Passwords, or ‘something you know’, have been the cornerstone for identity but aren’t robust enough for the security challenges of today.
The inherent vulnerabilities with passwords alone – shared passwords, the same password used for different accounts, stolen or hacked credentials, etc. – has driven a shift to passwords functioning often as just one part of Multi-Factor Authentication (MFA).
MFA also includes elements of ‘something you have’ like a card, token, or mobile push authenticator or ‘something you are’, like biometrics that analyze fingerprints, face scans, typing behavior, voiceprints, gestures or even your gait.
There are two schools of thought with passwordless. One argues that a passwordless flow alone with a card, token or push authentication is strong enough by itself to thwart any attack, while others believe that passwordless should involve MFA for a layered security approach. Let’s explore both.
Passwordless flows that use cards, tokens or authenticators alone still trump the password from a strict security sense. Passwords can be phished, but not tokens or push authentication with public/private key pairs, which use asymmetric key cryptography.
A service creates a ‘one time challenge’ at logon, which is signed by the user’s private key and verified by the service with the user’s public key and a logon token is returned. This is the essence of FIDO U2F tokens, FIDO2 pinless, and some mobile push authenticators. The problem is that if used alone, it can be stolen by a malicious actor and can be an easier attack than even a password, but an attack that requires physical theft.
Passwordless MFA is much stronger because it adds one more authentication layer. Even MFA used today alongside a regular old password has been shown to prevent many types of attacks. There is a middle step in the path to passwordless; many consider a Smart Card+PIN or Windows Hello+PIN, or FIDO2 token+PIN as passwordless.
But the PIN is in fact a short, numeric password, so it becomes a MFA with another ‘something you know’ secret. This middle step is light years ahead of previous password-based MFA, since this form of passwordless MFA uses the strong cryptography mentioned above; the PIN is stored in a HW secure element and it has a lockout count.
Truly passwordless MFA requires biometric authentication along with an asymmetric key pair. This is possible with FIDO2, Windows Hello, Smart Cards or push authentication paired with a biometric second factor.
As you journey toward passwordless authentication, whether with MFA or not, you will be increasing your security stance, improving your user experience and finally saying goodbye to the 1960s as you create a truly 21st century cybersecurity world.
Brigadier General (Ret) Gregory Touhill, President of Appgate Federal
According to many cybersecurity veterans, the death of the password has been imminent for the better part of the last decade. However, as we dip our toes into a new decade, it seems like the hype might finally be matching up with the reality of modern technologies.
Passwords were state of the art in 1979 when I enlisted in the Air Force and they remain state of the art for many organizations — over 40 years later! Passwords are ancient technology that crumbles when confronted by bad actors such as criminals and nation-state actors. So why have passwords remained the primary authentication method for so many for all these years?
Well of course the most obvious reason is the simple fact that they’re….simple. Or at least they were until consumers were forced to manage dozens of complex passwords for dozens of sites and applications.
The stakes can be even higher for authenticating business users who typically log into a dozen or more cloud-based applications every day. Enterprise security policies often mandate employees regularly update their passwords every 60 or 90 days to securely access critical system resources.
Consequently, IT help desks spend a good portion of their day helping users recover their passwords with many organizations investing in technologies to automate a ‘Forgot Your Password?’ response, many of whom are fairly easy to defeat by cyber actors with modest skills. This sad environment contributes to the increasing adoption of Single Sign-On (SSO) applications and other commercial password management services.
Compounding this issue is the fact that humans will always be the weakest link in the security chain. According to a 2019 survey conducted by the Harris Poll, 59% of people have reported using the same password across multiple sites. I feel the actual number is closer to 100%.
Chronic re-use of credentials makes all of their other accounts significantly more vulnerable, because a breach anywhere can quickly cascade to numerous compromised accounts.
There are signs that we are gaining real momentum towards a passwordless future. Well-established technologies like Multifactor Authentication (MFA) rely on something you possess (e.g. your smartphone), something you know (e.g. a password/passphrase) and an inherence factor such as biometrics which taken together can ascertain your identity with a far higher degree of confidence than even the most complex password alone can provide.
Innovations like MFA become even more powerful when paired with modern security concepts such as a Zero Trust framework which turns the old ‘trust but verify’ model on its head and instead requires that any device, individual or resource that attempts to connect to the network must be authenticated before gaining access.
A software-defined perimeter is the centralized mechanism by which this framework can be established and enforced and serve as another lever that security teams can have at their disposal to mitigate these types of risk factors.
The marriage of modern authentication tools such as MFA with frameworks like Zero Trust provide organizations with the ability to deliver dynamic, risk-based controls to better secure your information. If you are still relying on passwords alone, you are generations behind best practices and might as well be wearing a ‘cyber kick me’ sign on your back.