(October 18, 2021) Passwords have long been the weakest link in the cybersecurity chain. According to the Verizon 2021 Data Breach Investigation Report, hackers used stolen credentials or brute force techniques in 89 percent of web application breaches. Hackers don’t break-in, they log in by stealing passwords or using automated tools to guess them. Eliminating passwords can boost cybersecurity.
Although it might seem counterintuitive, passwordless authentication solutions provide greater protection against cyberattacks while streamlining the login process and simplifying operations for IT teams.
Why Passwords Are a Problem
In many cases, passwords are the sole defense against unauthorized access to applications and data. They are meant to prove that the person logging in is the rightful owner of the account, but users do not always choose strong passwords or take adequate care in protecting them. According to Alex Weinert, Director of Identity Security at Microsoft, “Your password, in the case of a breach, just doesn’t matter — unless it’s longer than 12 characters and has never been used before.”
It’s not fair to blame users or give them sole responsibility for securing their accounts. The average person cannot remember dozens of long, complex passwords, so users take shortcuts to access the IT resources they need. Password reuse is a huge problem — hackers frequently use passwords stolen from other accounts in “credential stuffing” attacks.
Passwords also create headaches for the IT department. Increasingly stringent password requirements cause more frequent calls for password resets. In many organizations, password management is the largest IT support cost.
Some organizations bolster password security with multifactor authentication (MFA). In addition to a password (something they know), the user must supply something they have (such as a hardware token) or something they are (a biometric such as a fingerprint). MFA can reduce the risk of compromise by nearly 100 percent, but it adds another layer of complexity to the login process.
The Passwordless Approach
Passwordless authentication eliminates passwords from the process. It still requires multiple authentication factors to log in, but everything is protected by public-key cryptography.
A public and private key pair are created when the user’s mobile device is registered with the passwordless authentication system. The public key is registered with the system and the private key retained on the device. To unlock the private key for authentication, the user enters a PIN or biometric factor. Authentication then proceeds automatically.
When the user wants to log in, the system sends a challenge with the registered public key to the user’s device. The user unlocks the private key and the system compares it to the public key. No information ever leaves the user’s device.
The FIDO (Fast IDentity Online) Alliance has developed standardized protocols for passwordless authentication. The FIDO2 open authentication standard helps ensure compatibility across a wide range of devices and applications.
Many administrators question how a PIN can be more secure than a password. However, it’s not the length or complexity of the PIN but the fact that it’s tied to a particular device. If a hacker were to steal the PIN or biometric data, it would be useless without the device. And the risk of theft is minimized because the PIN and biometric data aren’t stored in a central location.
IT teams may also be concerned that users will be locked out of applications and services if their devices are lost or stolen. However, best-in-class passwordless solutions offer a variety of trusted recovery options that don’t compromise security.
Passwords no longer provide adequate protection against cyberattacks. Eliminating passwords and shifting to the passwordless approach can dramatically increase security while streamlining user authentication and reducing IT support costs.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.