Why The Shift To Passwordless Authentication Is Inevitable

Cyber Security

Written by:

Reading Time: 4 minutes

Far too many systems have already been compromised due to weak or stolen passwords. After numerous failed attempts to improve this archaic authentication method, many experts in the cyber security community have come to the conclusion that passwords have finally outlived their usefulness. One proposed alternative that’s gained a lot of support is the out-of-the-box idea that eliminates passwords altogether — passwordless authentication. Although still in its nascent stages, passwordless authentication looks poised to eventually push passwords into obsolescence. 

Data breaches and cyber incidents involving passwords

The notoriety of passwords as an ineffective security mechanism is well documented. Here are two highly publicized cyber incidents involving compromised passwords that underline the major disadvantages of using them. 

Adult Friend Finder Data Breach

In 2016, more than 400 million accounts were compromised in a hack that exposed names, email addresses, and passwords. The passwords were only hashed with SHA-1 hashing algorithm, which is easily broken. The concern with hacking incidents like this is that most people reuse the same passwords across multiple sites. So a stolen password in one site can potentially result in another hack or account hijack on another site. 

Mirai IoT Botnet DDoS Attack

Compromised passwords don’t just lead to data breaches and hijacked accounts. In 2016, the largest DDoS attack in history on record at that time took place because a botnet named Mirai managed to ensnare over 600,000 Internet of Things (IoT) devices by taking advantage of the unchanged factory default passwords of those devices. Once the attackers had control of those IoT devices, they then used them to launch massive DDoS attacks. 

Despite various efforts to tackle the password problem, the issue still persists. In Verizon’s recent Data Breach Investigations Report, it was revealed that over 80% of breaches due to hacking involve the use of lost or stolen credentials. This confirms our earlier assertion that stolen passwords can be used to hack accounts in other sites.

Top password attack methods

In a short while, we’ll explain why passwords are ineffective. But before we do that, let’s go over some of the most common attack vectors targeted at passwords. 

Brute force attack

This is arguably the most common attack method against password-based logins. It usually employs a tool that can run through a large number of character combinations and enter them in rapid succession into a login interface with the hope of eventually guessing the right password. 

Phishing

Another commonly used attack method, Phishing typically involves a bogus email expertly crafted to compel the unwitting victim into revealing his/her passwords through either a fake online form or login screen. 

Social engineering

Here, the attacker impersonates a legitimate person whom the victim trusts and whose role can sometimes involve managing the victim’s account. For example, the impersonated figure might be an IT administrator, a Help Desk staff, or someone from the victim’s bank, mobile network, or insurance company. The attacker can simply make a call, relay a bogus storyline, and then acquire the victim’s password right then and there or through some other medium.

Keylogger 

This attack typically employs a tool, usually installed via malware, that secretly records keystrokes of a victim when he/she enters credentials into a login screen. Once the strokes have been recorded, the same malware that installed the keylogger would then transmit the relevant data to the attacker’s remote Command & Control (C&C) server.

Why passwords are ineffective

If you noticed, all the attacks mentioned took advantage of the weakest link in any IT environment – the end user. 

Brute force attacks are highly effective when users employ short and easy-to-remember passwords. Phishing and social engineering works when the end user fails to suspect the email or the caller. Keyloggers work when the end user starts keying-in his/her password. 

Brute force attacks may be thwarted by requiring the use of long and complex passwords. However, as is mostly the case, when users find a security policy too hard to follow, they try to circumvent it. For example, users may be forced to use long, complex passwords. But because they find the exercise too tedious, they might either write their password(s) on a post-it and stick it to their monitor/desk or use the same password for every website and application that requires one. Either practice lessens the effectiveness of the security policy. 

As long as an authentication method relies heavily on human interaction, that method will be vulnerable to abuse. That’s where passwordless authentication comes in. This method of authentication requires minimal to zero human interaction. At the very least, it doesn’t require users to maintain, recall, and key-in lengthy passwords. 

How passwordless authentication is going mainstream

Passwordless authentication is actually not a new thing. Biometrics, public key authentication, tokens, Smart Cards, and so on, are just some of the many passwordless authentication technologies in use today. They’re often paired with password-based authentication in multi-factor authentication (MFA) environments. 

The problem is, in their current forms, most of these authentication methods add too much complexity to the authentication process. Ever tried authenticating with public key authentication? Unless you’re from IT, there’s a good chance you haven’t tried using it before. 

All that is about to change. There are now a few solutions that have managed to integrate these methods seamlessly. One particular solution that does this quite nicely is SecureDoc passwordless authentication from WinMagic. 

SecureDoc passwordless authentication eliminates the use of passwords by leveraging passwordless authentication methods like biometrics, public key authentication, smart cards, and software tokens, and combining these with the device itself to achieve a MFA environment that requires very minimal effort from the end user.

Solutions like SecureDoc, that greatly simplify the use and implementation of passwordless authentication, will only encourage businesses to finally shift to environments completely devoid of passwords. 

SecureDoc comes from WinMagic, a company that also provides endpoint encryption; full disk encryption; Windows, MacOS, and Linux encryption; and other encryption-related solutions.