Passwordless authentication goes mainstream as organizations seek relief from chronic password problems.
Passwords have long represented the first line of defense against unauthorized access to networks, online accounts and sensitive data. But here’s the industry’s not-so-secret secret: Passwords don’t really work anymore — and they haven’t for quite some time. Year after year, studies find that 80 percent or more of all data breaches around the world can be traced to weak, stolen or compromised passwords.
Most IT security pros agree that it’s high time to reduce reliance on passwords. In fact, many of the industry’s leading platform and device manufacturers — including Apple, Google and Microsoft — are adopting possession-based passwordless authentication solutions that can substantially reduce the risk of breaches, phishing attacks, account takeovers and more.
“Time and time again we see data breaches, ransomware and other attacks that leverage vulnerabilities associated with passwords,” said Andrew Shikiar, Executive Director of the Fast Identity Online (FIDO) Alliance. “The industry at large must shift towards possession-based factors such as biometrics and security keys that are not susceptible to remote attacks such as phishing, credential stuffing and various forms of social engineering that frankly are difficult if not impossible for the average user to detect.”
The Passkey Approach
The FIDO Alliance is a consortium of leading tech companies, government agencies, service providers, financial institutions, payment processors and other industries that was launched in 2013 with the goal of eliminating the use of passwords. The organization is helping to push a passwordless authentication technology known as passkeys into mainstream usage.
Using standard public key cryptography techniques, passkeys allow users to authenticate to web services and applications without having to enter a username, password or provide any additional authentication factor. They work by essentially turning a user’s smartphone into a secondary security key.
During registration with an online service, the user’s device generates site-specific public and private keys. The private key remains on the device, and the online service stores the public key on its server. During login, the service challenges the user to authenticate with a previously registered device that matches the stored public key.
Password Concerns Mount
A new survey of developers and security professionals conducted by Enterprise Strategy Group and sponsored by security vendor Axiad reveals growing concern about password problems. About 60 percent of the developers and IT security pros reported that compromised credentials led to successful cyberattacks against their organizations during the previous year. As a result, more than 80 percent said they have made passwordless authentication a top priority, with plans to implement the technology within the next 24 months.
“The results of this survey make it crystal clear that the value of passwordless authentication is gaining traction in the marketplace as more and more organizations are being breached and realizing that password-based credentials just don’t cut it anymore," said Yves Audebert, co-CEO of Axiad.
Passkeys are just one approach for implementing passwordless authentication. All involve the use of some unique identifier such a biometric signature or a hardware token to establish proof of identity. They essentially use the same approach as digital certificates — a cryptographic key pair with a private and a public key.
Relieving User Burden
The chief benefit of passwordless authentication is that it removes the human element — the device handles the entire authentication process. Users just have to sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face or typing in a device PIN.
For years, users have had to shoulder much of the responsibility for better password hygiene. Best-practice guidelines have largely focused on what users must do to improve security — create stronger passwords with a mix of numbers, characters and symbols, use unique passwords for every account, change them frequently, and never reuse them, share them or write them down.
However, those recommendations are increasingly unrealistic given the sheer number of passwords required today for a growing array of network and online assets. Business users commonly have 100 or more online accounts requiring passwords. Most reuse passwords across dozens of different accounts to reduce the number they have to remember, which just creates additional risk. If an attacker gets credentials for one site or service, they may also be able to use it to access your corporate network, email, banking site or other high-value targets.
Passkeys, on the other hand, are virtually impossible to compromise. Even if hackers breach a site’s passkey server, they’ll only have public keys. Without access to the matching private keys stored on user devices, there’s no way for hackers to authenticate an account.
“I’ve said it before, and I’ll say it again: 2023 will be the year for passwordless authentication,” ESG Senior Analyst Jack Poller wrote in a recent blog post. “Passwords are a huge problem. Easy-to-remember passwords are weak and strong passwords are hard to remember, which leads to password reuse and the threat of compromise through an overabundance of attacks.”
