Do We Still Need Passwords in 2022?
May 5th was World Password Day and there were a lot of posts and articles going around about password weaknesses, how to choose better passwords and how to store your passwords securely. Then I saw a post in my feed that went along the lines of “Happy World Password Day. What are we celebrating?”. I couldn’t agree more with this sentiment and it was actually a perfect segway into an article I was already writing about removing passwords altogether and leveraging more secure solutions, generally grouped under the title of “passwordless authentication”.
Why Passwordless Authentication?
It’s 2022 and we are still using passwords, something we have used for authentication since the birth of computers. We know they are a massive weakness in our security controls, but we still use them. They are prone to brute force attacks, guessing attacks, interception and theft, and re-use when discovered in data breaches. We know there are better authentication methods out there (we use them all the time for multi-factor authentication) and we now have the advancements in technology to use these for standard logins. Look at your current phone. If you have an iPhone from the last few years you don't authenticate with a PIN code anymore, you use facial recognition via Apple’s FaceID. On an older iPhone, you use biometrics to read your fingerprint with the iPhone’s home button. If you use an Android or other phone, you’ll be using similar technology.
Passwordless authentication isn’t about throwing away authentication completely because it’s too hard, it's about replacing passwords, a very weak and outdated authentication method, with a stronger, harder to defeat authentication method.
Types of Passwordless Authentication
Passwordless authentication can take many forms. It is about moving away from the “something you know” principle, and moving towards leveraging “something you have” or “something you are”.
Something you know is a piece of knowledge (such as a password), and knowledge can be learnt or stolen by someone else which makes it prone to compromise.
Something you have is more secure as it is some type of object (like a token or smartphone) that would need to be physically stolen by a threat actor. Physical theft is less likely than digital theft as that person needs to be physically at your location to steal the device, while digital theft can happen from anywhere in the world. It severely limits the number of potential threat actors.
Something you are is generally the most secure as it is part of you and can’t be stolen. Yes, I’m generalising here as I don't want to get into discussions around someone removing your finger or current research into inverting face templates to obtain original face images (There’s a great research article about this here if you are interested). Let’s just say it’s not very feasible for your average threat actor and the likelihood is much lower, making the risk much lower.
The most common forms of passwordless authentication are:
Biometrics - such as fingerprint, facial recognition or retinal scan
Behavioural Traits - leverages typing and touch screen dynamics
Tokens - FIDO and YubiKeys, RSA SecurID tokens and similar
Codes - One-Time Passwords (OTP) generated by authenticator apps like Google Authenticator, or OTPs sent via SMS
Magic Links - Links are generally sent via email when the user authenticates, that when clicked, authenticates the user
It was very appropriate timing on May 5th that Apple, Google and Microsoft announced better support for FIDO passwordless authentication. This will mean much easier and hassle-free passwordless authentication across websites and apps.
MFA vs Passwordless Authentication
The term multi-factor authentication (MFA) is often used interchangeably with passwordless authentication but this is not necessarily correct. MFA can be passwordless, but by default, it usually isn’t. MFA, as it’s name implies, uses multiple forms of authentication beyond the single traditional form that only uses a password. Username and password is single-factor authentication. Even this concept is often misunderstood. Over the years I’ve had many “discussions” with people who believed two-factor authentication (2FA) leveraged username and password because it has two components. The username identifies the user you are authenticating as, and the password proves that you are that user and allows authentication. So it is using a single factor (password) for authentication. 2FA requires exactly two forms of authentication, traditionally a password (something you know) and some sort of token (something you have). The term MFA is used more commonly nowadays and requires at least two forms of authentication but may leverage more than two. So 2FA is a subset of MFA.
For MFA to be passwordless authentication, the use of a password as one of the authentication methods must be removed. So for example, instead of using a password and a one-time password (OTP) authentication app like Google Authenticator, you would use a biometric (like fingerprint or face ID) along with your OTP authentication app. By using these two forms as an example, you no longer require a password and have passwordless authentication.
Is Passwordless Authentication 100% Secure?
No authentication method is 100% secure and I doubt it ever will be. No matter what technology or control comes out, there is always a bypass. It’s the nature of technology and criminals will always find a way.
The 2020 Verizon Data Breach Investigations report found that 81% of successful attacks are password related which shouldn’t really be a surprise. Every year our security controls get better and better so why wouldn’t you leverage the weakest link in the chain? Fernando Corbató first presented the idea of passwords at MIT in 1960, so we are still using a simple control from over 60 years ago, a control designed in a very different time with very limited attack vectors, and before digital crime existed. We have far better options now with biometrics, tokens and OTPs.
Yes, there are attacks against biometrics, and tokens can be stolen, or users social engineered out of their OTPs but the effort required is greater, the skillset required is greater, and a successful outcome is less likely, which reduces the overall risk. When you take away the ability to perform brute-force attacks, guessing simple passwords, attacks against password reset facilities leveraging open-source intelligence (OSINT) data gathered by a threat actor, and passwords obtained from data breaches, the potential attack surface has been reduced considerably. If passwords were no longer in play, that 81% of attacks would have to leverage other attack vectors, vectors that are far less easy to achieve.