Making the Leap: Passwordless Authentication Risks and Benefits

Posted by Marbenz Antonio on September 27, 2022

Living a passwordless life. The future that will fundamentally… | by Yan  Grinshtein | UX Collective

The password is not disappearing. However, passwordless authentication is gaining popularity. In terms of how businesses choose to log in, it seems to be winning the war. Whether the security sector likes it or not, it will have to deal with both in the future.

But for certain companies and organizations, going password-free is the obvious course of action. For instance, Microsoft has removed the requirement for passwords to access accounts, granting users access to a variety of professional and personal apps and services.

It’s not just Microsoft. Apple stated that the upcoming releases of iOS 16 and macOS Ventura will have passwordless logins at the 2022 Worldwide Developers Conference. Instead of using passwords, users will have the option to log in to websites and apps with “Passkeys.” The company claims that Passkeys generate new digital keys that utilize Touch ID or Face ID from Apple.

Why is Passwordless Authentication Becoming More Popular?

The main reason for the move is essential that there are too many passwords for us to remember. Users were in charge of around 100 passwords, according to a 2020 Tech.co research. Anything that makes things simpler is appreciated when there are so many things to remember. However, security is sometimes sacrificed in favor of complexity.

This alarming statistic shows that approximately 30% of respondents to a Specops Software poll do not use more than one password for their accounts. They use the same password for all of their accounts, and you read it right. The majority also acknowledged using variations of the same password for all of their accounts.

The point is: Do you feel any safer merely because your company has discarded passwords?

Short answer: not really. There are major big-picture concerns about passwordless authentication.

The Risks

Question: What are the risks of passwordless authentication? 

Grimes: Many password-free choices use single-factor authentication or 1FA. People mistakenly believe they are employing multi-factor authentication only because they see passwordless (MFA). In general, multi-factor is always preferable to single-factor. 2 different forms of authentication are the core concept underpinning MFA.

The prospect of many passwordless systems being readily phished is significantly more worrisome. They can send you an email or a website link, fooling you into visiting a man-in-the-middle website. It deceives you into thinking you’re heading to the desired location and into wanting to use this passwordless authentication. But in reality, you were duped into clicking on the soundalike or similar-looking link that led you to another page.

You then choose the password-free option. But in reality, it’s allowing the man-in-the-middle website’s attacker to hijack your session. They can capture anything. The website will send you back an access control token, which is the text-based cookie, once you successfully log in using a passwordless authentication token.

After you have successfully authenticated, if they manage to capture that, they can place the cookie in their browser and take control of your session.

Remember that many passwordless alternatives, including FIDO, guard against man-in-the-middle attacks of this nature. However, any MFA can be compromised. Most of them—perhaps 90–95 percent of them—are vulnerable to this man-in-the-middle attack, and many passwordless options are too.

You’ve through a great deal of pain to switch from a password to a passwordless system, but still recording it and getting around it just like a password. When MFA or passwordless technology is used, a lot of time, effort, money, and irritation is expended for little to no perceived advantage.

Does going passwordless make you safer? 

Not if you’re utilizing a system that is easily exploited by phishing. You must not apply it.

The main goal of switching people away from passwords is to virtually close the door to phishing. And what have we achieved if I can use your passwordless solution to phish you?

How to Select a Passwordless Authentication Option

How should organizations choose a passwordless option? 

Try to select an MFA option that is resistant to phishing when you go to make your selection. If you’re left with a choice that can be readily compromised, try to persuade the vendor to add security measures that will make it less vulnerable. The correct feature must then occasionally be implemented.

We believe that having general knowledge of all stakeholders is essential:

  • People that are selecting MFA
  • People that are evaluating MFA
  • The implementers
  • The operational staff
  • The buying staff
  • C-level staff
  • Users.

They need to be educated about the common threats against their solution type and how to defend against them, as well as the strengths and weaknesses of their solution. The absolute minimum is that. It concerns education.

Another point is to realize that FIDO implementation is difficult. But why not do that if you’re going to switch to MFA or passwordless? Why switch from passwords to passwordless when safety is only slightly improved? Why would you do it when you might expend the same effort to go somewhere that is phishing resistant and receive much greater protection?

Other Options for Password Management

What about password manager apps? 

Everyone should use one, in my opinion. The largest password risk is that the average user shares four to seven passwords across all websites. A few of those websites are compromised each year, and the compromised credentials are then utilized against the websites.

Wherever possible, we always advise implementing phishing-resistant MFA. If you can’t, create your username and password using a password manager.

Without much computational power, we have acquaintances that frequently guess and crack 18-character passwords today, every day.

In order to match the maximum length required by the website or service you’re using, a password manager will generate a complex and completely random password. It is impenetrable and uncrackable to all known modern foes.

The password manager poses a serious risk because it is a single point of failure, which is quite dangerous. However, in order to compromise your desktop, which is typically required to compromise your password manager, it’s already too late because they can simply key-log you at that time. Thus, it’s a worry. Another issue would arise if ransomware started to target password managers, but this hasn’t happened yet.

For the ordinary user, the advantages of utilizing a password manager much exceed the risks.

Apple Sets a Unique Precedent

With the Apple announcement, is the password finally dead? 

The proof is in the pudding about new authentication methods. They fully endorse moving past passwords and toward something better.

However, in reality, biometrics aren’t nearly as secure as they claim to be. Your face and fingerprint may be one of a million on Earth, but how those biometric qualities are recorded and used is a lot less distinctive.

Persons who accidentally log in as them via their phone or laptop after their little child walked by them usually email us, and to humans, these two people don’t appear alike.

As we implement biometric solutions, they’re continually astounded by how many [chief information security officers] and others who aren’t familiar with the benefits and drawbacks of these systems believe they are the perfect authentication method. Fewer people who are well-versed in biometrics value them, and the opposite is also true.

Another significant issue with all non-password solutions is that none of them are compatible with even 2% of the websites and services in use today. It’s a significant chicken-and-egg issue. The promise of MFA or passwordless solutions is that we can supposedly have a passwordless solution to replace the absurdly high number of passwords we currently have to generate and use. But the truth is that, in addition to a huge number of passwords, we all now use an increasing number of MFA and passwordless solutions. Even worse than before.

Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights