Both enterprises and consumer-facing organizations should look to move away from passwords in favor of more secure, and convenient, forms of authentication.
This was the view of experts on authentication, speaking at Infosecurity Europe 2024.
The sheer number of passwords the average business user, or consumer, now needs to remember causes practical difficulties as well as security risks. There is always the danger that someone will “write a password on a napkin,” or store them in a document online.
“Authentication is one of the few controls that are highly dependent on the user,” said Raul Zeppenfeldt, principal consultant at PA Consulting. “It is a fundamental flaw you cannot control.”
Then there is the risk that even strong passwords can be compromised; a risk that will only increase with newer technologies such as quantum computing.
“Noone can remember 40 passwords for the 40 applications they use,” said Parul Khedwal, security operations lead at Trainline. “It’s not just about convenience, but about security.”
Moving to multi-factor authentication (MFA) will improve matters, but Khedwal suggested that passwordless authentication is the best way to improve security. This is one reason it is being adopted in sensitive areas, such as banking apps.
“It’s what’s most important. Banking app data, enterprise data are the key use cases for going passwordless,” she said. “Most banking apps have done away with passwords.” Instead, they are using biometrics or passwordless authentication.
Digital Consumption
The need to improve authentication is being made even more urgent by the increased use of digital systems.
This means setting and remembering more passwords. It also means more threats: criminal hackers target authentication, and especially weak passwords, as a way to access sensitive data or to gain access to enterprise systems.
According to Zeppenfeldt, as many as 90% of breaches can be traced back to password compromises. Doing away with passwords both reduces risks and cuts overheads from services such as password resets.
Zeppenfeldt sees increasing interest in zero trust, as well as passwordless authentication.
“The zero-trust principle assumes that passwords will be guessed,” he said.
Instead, architectures such as zero trust work with behavioral patterns, such as a user accessing systems from an unusual time of day or outside their normal working hours. “It’s moving from static to adaptive security,” Zeppenfeldt explained.
At Trainline, Khedwal agrees that a new approach is needed. Even MFA is vulnerable to advanced attacks, stealing and then rerunning tokens or one-time passwords. “You need a second layer to make it more secure as a whole,” she said.
Preventing User Fatigue
Moving away from passwords, and even MFA, can also help deal with user fatigue. Even advanced authentication methods can become “muscle memory,” warned Zeppenfeldt.
Passwordless systems, even if they stop short of a full zero-trust environment, improve convenience as well as security. CISOs should look at approaches such as the FIDO model or web 3.0 technologies as a basis for future authentication systems.
This, Zeppenfeldt added, should guard against emerging threats too, including AI and potentially, quantum computing systems that could, in a few years’ time, risk breaking common encryption and authentication methods.