Passwords as a form of modern security are flawed, but what will a password-less future look like and are organizations ready? Kate O’Flaherty investigates...
Passwords are reaching the end of their shelf life. That’s according to numerous tech companies including Microsoft and Google, and the organization committed to reducing reliance on passwords, the Fast IDentity Online (FIDO) Alliance.
Passwords as a form of security are flawed: they are stolen, exposed in breaches, people forget them, use them insecurely and repeat them across services. Solutions such as password managers can help, but is it possible to move away from using passwords altogether, and are organizations ready for this?
Many experts believe that the future is password-less, and a large number of companies are already embracing this idea. In fact, according to Microsoft, 150 million people are using password-less logins each month.
What’s more, the move to password-less authentication could become widespread by as soon as 2022. By then, Gartner predicts that 60% of large and global enterprises and 90% of midsize firms will implement password-less methods in more than 50% of use cases – up from 5% in 2018.
However, the reality isn’t so simple. Many experts believe passwords will exist for a long time yet, at least in the form of PIN codes as part of Multi-Factor Authentication (MFA): which can be explained as using something you are, something you have and something you know to authenticate your identity.
In addition, many firms simply aren’t ready for a password-less future. Legacy infrastructure poses a huge challenge, and cultural and educational barriers need to be overcome.
The Password Problem
At a time when breaches continue to grow, there is no doubt passwords are causing problems for companies and users. The vast majority of data breaches are caused by passwords being hacked, stolen or otherwise manipulated, says Andrew Shikiar, executive director and CMO at the FIDO Alliance.
Shikiar argues that the whole approach to using passwords for authentication is “inherently flawed,” because the model is dependent on storing and matching ‘secrets’ on a server – which he says lends itself to “self-perpetuating problems.
“Anything on a server can and will eventually be stolen, which is why login credentials inevitably make it to the dark web where they are purchased by hackers who use them to try and access various accounts.”
Although MFA helps, Shikiar points out that more sophisticated attacks can also manipulate SMS one-time passcodes or authenticator apps through man-in-the-middle or relay attacks. “The safest method is to authenticate users locally to a device in their direct possession which they use every day,” Shikiar says.
The FIDO Alliance encourages reducing reliance on passwords with the use of biometrics such as facial recognition and security keys, something many firms are already doing as part of MFA policies.
Indeed, big consumer tech brands are picking up on both forms of authentication, with users of Apple’s iOS operating system able to authenticate their accounts using FIDO-compliant keys such as Yubico’s YubiKey.
These have many advantages and can be used in conjunction with facial recognition, for example, but the main hurdle with security keys is usability – as a physical piece of hardware, they can be stolen or lost.
As for biometrics, these have been easily thwarted in the past – for example, fingerprint recognition was fooled by a gummy bear – but the accuracy and usability of Apple’s Face ID and Touch ID have now led to more widespread use.
In general, the technology is more robust and less prone to errors, making biometrics a viable form of authentication for businesses, too. Alex Schlager, executive director and chief product officer of security services at Verizon Business, explains how biometrics are becoming more advanced. “As well as biometric capabilities including Face ID and Touch ID, body vibrations can now be used to recognize you.”
Gemma Moore, director at Cyberis, says biometrics are “very popular” for authentication under password-less schemes. “These have the advantage that a user does not need to manage separate devices to gain access to the resources they need, they only need themselves.”
However, biometrics are still not perfect. The main challenge is what to do when they are breached. “The problem with biometrics is that they are often used as a replacement for passwords,” says David Emm, principal security researcher at Kaspersky.
“If there is a breach, I can’t change it. If my password is my fingerprint, I am exposed for life.”
However, Emm concedes this is down to how organizations store the data. “When using Apple’s Touch ID, nothing is being transmitted off your device, so if your phone is secure, no one can get access to it.”
However, in cases where this does not happen, says Ken Munro, partner at Pen Test Partners, revocation is a big issue in the event of a breach. “If you have to revoke the fingerprint, how do you get another one?” he asks.
Biometrics are better than they used to be, with fewer false positives and negatives, but relying purely on them “is a problem,” warns James Bore, director at Bores Security Consultancy.
Bore says that although Face ID to unlock phones is fairly reliable because “people keep their smartphone on them,” laptops are different. “In some cases, you can bypass facial recognition by simply holding a photo up or using a 3D printer.”
“Some firms that are reliant upon legacy systems will find it difficult to completely remove passwords, whilst others will find it far more straightforward.”
A Password-Less Future in Action
However, despite the barriers, many organizations are operating in a password-less environment. Shikiar cites the example of NTT DOCOMO – which offers password-less authentication to its users – and Yahoo Japan, which he says “has already fully embraced going password-less.”
In the case of both companies, he says, there is no password associated with user accounts. Meanwhile, he adds, eBay.com is now using FIDO authentication to enable login via on-device biometrics instead of entering a password.
The approach makes sense. Password-less authentication is generally “orders of magnitude better than using passwords,” says Moore. “Compromising a resource using exclusively password-less mechanisms is much more complicated because the adversary typically needs to compromise a physical device in the control of the target user.”
Nonetheless, Moore concedes there are still problems with most implementations, and says it is important to recognize these. “Some implementations require users to remember a PIN which is entered into a device to provide access; this PIN is still something that the user needs to know in order to authenticate.”
Although this might not be directly submitted to the target resource anymore, it still creates a situation where the user needs to remember a “password,” says Moore. So people tend to use predictable values and there is the potential for users to forget them.
With issues such as these in mind, universal adoption of the password-less approach could take a long time, says Rick Holland, CISO at Digital Shadows. In addition, he explains that “large global enterprises will have hundreds, if not thousands, of internal and external web applications. Many of the internal applications will be ‘legacy,’ requiring unique consideration that complicates development efforts. Others will be third-party applications and the migration of these to password-less is often beyond the customer’s control.”
To prepare for a password-less future, defenders must have an up-to-date application inventory including legacy applications that haven’t implemented password-less authentication, says Holland.
There are also some regulatory drivers that could help the move. Regulation such as the PSD2 Strong Customer Authentication and the latest NIST Digital Identity Guidelines include requirements that can be addressed through modern approaches to user authentication.
“Anything on a server can and will eventually be stolen, which is why login credentials inevitably make it to the dark web”
Going Password-Less: Are Organizations Ready?
Even so, due to legacy systems that rely on passwords, even FIDO’s Shikiar doesn’t think a 100% password-less world is possible anytime soon. “I do [however] think that the vast majority of leading consumer internet services will offer password-less logins within the next five years,” he adds.
“The enterprise will move rapidly toward password-less in the same timeframe too, as Microsoft platforms including Windows Hello support FIDO, as do server and infrastructure products from other leading enterprise vendors.”
According to Schlager, passwords could disappear within three to four years. However, he concedes there are issues that must be overcome first. “On the one hand, it requires significant IT system transformation; on the other, I think we need more time for the tech itself. Then we have quantum computing, which will change the way we authenticate.”
Looking further into the future, are organizations ever going to be ready to go completely password-less? This will vary, Shikiar says. “Some firms that are reliant upon legacy systems will find it difficult to completely remove passwords, whilst others will find it far more straightforward.”
Even for organizations in the former category, he says, it is absolutely possible to take passwords out of the hands of most employees. These can be replaced with security keys, on-device biometrics or by using mobile devices as local authenticators. “Privileged access management platforms can help control this and limit passwords to being used as a very last resort by highly skilled workers,” Shikiar advises.
For now, replacing or supplementing passwords with a strong second factor, such as a security key, moves things in the right direction, says Shikiar.
Schlager agrees there has to be reliance on a second factor – even if this is a passcode on top of biometrics. “Businesses need to get the basics right first. A lot of companies are still behind on managing their assets. Many firms don’t have enough visibility over their assets: you first need to know where they are and only then can you protect them.”
A password-less future is possible, but it’s clear many organizations simply aren’t ready for this – at least yet. For now, the best thing any company can do is take advantage of robust, preferably multi-factor, authentication using biometrics and security keys.
“It is entirely possible we will get away from passwords,” concludes Bore, but at the moment, “it comes down to risk assessment and management. Looking at the threats to your business and how authentication addresses these, and then judging how strong authentication needs to be.”