Passwords are a nightmare! Username and password combinations have been the dominant form of authentication since the inception of the internet, but they have many issues, both technically and procedurally. According to the 2021 Verizon data breach investigations report, password-based attacks were responsible for over 80% of data breaches in 2020. Users have to remember dozens of passwords; which often leads users to create less secure passwords, jot them down in insecure locations (like sticky notes) or reuse the same password across multiple accounts. In many cases they can be cracked quite easily, and sometimes if a malicious attacker can obtain a password hash (a password’s cryptographic representation) they may not even need to crack it to gain unauthorized access to a user’s account. Perhaps worst of all, the security community has spent the better part of the last couple of decades giving users bad advice – as it turns out, substituting letters for special characters, numbers, and mixed cases has only resulted in passwords that are difficult for users to keep track of and still not secure against modern attacks. Aside from the obvious security issues, this also demands a lot of overhead with support teams having to do constant password resets and account unlocks. Gartner found that between 20%-50% of all helpdesk calls are for password resets. In reality, the internet and computing in general were not built with security in mind.
The security community has spent years trying to rectify mistakes of their own as well as those of computer scientists and engineers from days of old. We’ve made a lot of great strides in that time, but there are many hurdles to jump through still. Re-educating users to create more secure passwords is a logical choice. We now know that length is the most important factor for security in a password and are shifting more towards the term “passphrase” rather than “password.” A short 4-word phrase with spaces that means something to the user, but may otherwise sound nonsensical, is both easy for a user to remember and extremely difficult to be guessed by a computer as demonstrated by this popular XKCD comic.
While this is a seemingly good solution, as the saying goes, “old habits die hard.” Undoing the damage we’ve done via poor education is challenging at best, and technical enforcement of a password policy that supports this is somewhere between extremely difficult and impossible.
Password managers such as LastPass help somewhat in this regard. With a password manager, a user only needs to know one password to access their password manager’s “vault” which then generates secure passwords, stores them, and auto-fills them across websites. The problem here is somewhat the same as the latter – it’s a habit change. Encouraging users to use a password manager is somewhat easier since it provides some convenience to them as well, but it is still a small learning curve and some people just don’t like change. Even if users do adopt a password manager, there is little to stop them from storing the same insecure passwords within it.
Another significant improvement has been the increased use of single sign-on (SSO.) Like a password manager SSO allows the user to only have to remember a single password, but rather than auto-filling, an SSO service serves as the identity provider (IDP) and authenticates to the application without using an individual password for each specific application.
Perhaps the most significant improvement that we’ve made is the increased enforcement of multifactor authentication (MFA.) That is taking adding an additional authentication factor on top of the first factor, typically being a password. Common factors include something you know (passwords, security questions, etc.), something you have (an authenticator app on your phone, a hardware token, SMS-based code, etc.), and something you are (biometrics.) The benefit here is that even if a user’s password is compromised they can not use it without access to the second factor. MFA should always be enforced in conjunction with secure passwords, password managers, and SSO. Still, even with MFA enabled an attacker can often deduce whether they have obtained or guessed the correct password. Since many tend to reuse passwords between multiple accounts, an attacker could use this information to gain access to another service where MFA isn’t enabled or supported.
The information security community has brought password security a long way, but despite our best efforts we have failed to stop poor password practices and passwords are still, by a large margin, the number one vector exploited by attackers. So the next logical step? We stop using them. Yes, you read that correctly. One of the most modern approaches to this problem is the passwordless authentication model.
You may be wondering how this works. In the traditional model of MFA discussed above, passwords are typically the first authentication factor, but they don’t have to be. In a passwordless model we opt for a different factor – the device you are logging in from. A passwordless authentication service cryptographically ties a user and their trusted device together. When the user goes to login from their device, they will no longer be prompted for a password. Instead the user is redirected to an agent installed on the device; which automatically checks that the user and device match up with who they say they are, and then signs them into the app.
So does this mean all of our prior efforts go to waste? Not at all; in fact, for this model to actually be more secure, it needs to be paired with additional security measures. MFA is especially important. In addition to being on a trusted device, a user must be able to authenticate themselves another way, ideally with something convenient such as a fingerprint or a push notification on their phone. Passwordless authentication also works best in conjunction with SSO either by being built into the SSO solution, as is the case with Okta device trust, or with an additional 3rd party IDP such as Beyond Identity.
This offers us a lot of additional security benefits. Most importantly the issue mentioned above, that passwords are the number one attack vector, goes away. With no passwords, we can significantly reduce our attack surface and in doing so, when implemented properly apps and services can be accessed only by that user on their known and trusted devices. This also gives us the ability to run checks to make sure devices are secured, by measures such as antivirus and encryption, before allowing them to be trusted to authenticate a user at all.
Is all of this practical? It is — in fact, we’re doing it here at Ginkgo today! While we haven’t shifted entirely to passwordless, our employees can opt-in to this model at any time. Users who have gone passwordless are happy with the added convenience, security is happy with the reduced attack surface, and our help desk is happy to have fewer password resets and account unlocks to do. Passwordless authentication is still quite new. “Passwordless” doesn’t exactly equate to “password-free”, the device you trust for example will still need to be authenticated in some way, for most desktop operating systems that means a password. For the most part, passwordless authentication only extends to enterprise applications as consumer products generally don’t let you change your authentication method. This is where password managers still come in handy. But, overall the reduction in the use of passwords significantly mitigates many of the most common cyber attacks.