Heads up: What are true passwordless technologies?13. November 2021
Heads up: What are true passwordless technologies?
New York, 11/13/2021
One of the biggest security risks in the modern business world is the mass use of passwords as the primary authentication method for various applications. When technology was first developed, passwords were considered a secure way for both individuals and businesses to secure access to systems and sensitive data. Today, however, the vulnerabilities of this form of authentication are crystal clear: Not only do they make life difficult for the user, but they also provide a false sense of security and leave large gaps in an organization’s defenses.
The “Verizon 2021 Data Breach Investigations Report” found that 61 percent of security breaches last year involved credentials. According to “haveibeenpwned,” more than 11 billion accounts are currently compromised.
Because of this, many companies are moving to passwordless technologies. However, there is still confusion about what exactly qualifies as “passwordless” authentication. Some solutions that supposedly fall into this category simply store and enter the password in the user’s name or replace it with something that is also insecure, such as a magic link or one-time password.
So, one should first understand what really constitutes a passwordless solution. The basic mistake is that passwords are a “shared secret.” This means that both sides of the exchange know the secret (the password) and have it stored. These passwords are stored by the application in a database, which makes them a favorite target for cybercriminals. Passwords become a proxy identifier for users, and users often choose passwords that relate to something in their lives, such as names and important dates, to make them easier to remember. However, this makes it very easy for attackers to guess the passwords and gain access to sensitive data.
In recent years, criminals have become increasingly successful in tricking their victims into handing over their credentials for various accounts. They have set up fake websites that imitate a real website in order to steal the password and then log the hacker into the legitimate website. They have also developed malware that runs on the user’s device and steals the credentials when the user enters them. If the passwords are used for multiple accounts, stealing a single password can allow access to multiple systems. Because users often use easy-to-guess passwords such as their favorite football team or movie character, attackers can use brute-force techniques , in which they systematically insert popular passwords into login pages,
While some users have followed the advice of experts and opted for more complicated passwords with the help of a password generator, they are still at risk because the techniques mentioned earlier (phishing sites and malware designed to steal credentials) don’t care whether the password is four or four hundred characters long.
Even password managers that store passwords securely are not a reliable solution. If a phishing email hits the inbox and a password is automatically submitted to a fake website via the password manager, the criminals still have an easy time.
Cracked passwords always mean a lot of trouble for a company. Resetting passwords and recovering accounts alone usually takes a lot of time. For this reason alone, it makes sense to look for leaner and more secure methods.
Still, caution is advised when considering alternatives that appear to be “passwordless.” Any method that uses a shared secret can be hacked. Adding another layer of protection to passwords in the form of multi-factor authentication (MFA) presents some challenges. Aside from the extra, often inconvenient steps it creates for users, traditional MFA approaches still rely on passwords as the first security check, leaving the weak link in the security chain unaddressed.
Cybercriminals can intercept the password and MFA codes via man-in-the-middle or man-in-the-endpoint attacks and then launch a fraudulent session. Two shared secrets are not much more secure than one. Any MFA solution that relies on a second factor that can be stolen is simply not secure enough to outsmart modern attackers.
A truly passwordless approach eliminates the security risks of both passwords and older MFA approaches that rely on passwords or other forms of shared secrets. A common sense approach is to eliminate the password from the login flow, application database, and account recovery flow and replace it with something inherently secure.
The most reliable way to replace passwords is to use proven public-private cryptography so that no shared secrets are exchanged. This is the same approach used to protect financial transactions over the Internet in the form of TLS.
Transport Layer Security (TLS), denoted by the lock icon in the browser, proves that the user is communicating with the legitimate server and that the communication is over a secure/private channel. TLS uses public/private key cryptography to validate the server and establish the secure communication channel.
In passwordless authentication based on public/private key cryptography, the private key is securely stored on the user’s device itself.
The most secure solutions store the key in special hardware and are available on modern devices (PCs, cell phones and tablets) so that the private key never leaves the device and remains unknown to all parties involved. The public key is made available to the applications a user wants to access, but the public key cannot be used to access the system. At logon, a certificate signed with the private key is sent to the server, where the public key is used to confirm that the certificate was signed with the associated private key, so the user can be securely authenticated without sharing a sacred secret. Not even the user himself is privy to the private key, so nothing can be recorded and accidentally lost or shared.