To Password or not to Password that is the Question. Is Paswordless Authentication the answer?
PCMag. (2021, July 21). [Password login]. Got a Password Manager? Good, But You’re Using It Wrong. https://www.pcmag.com/how-to/password-managers-youre-doing-it-wrong
Passwords are our first line of defense, and with this comes the question, how secure are they? It is a fact that 81% of intrusions related to hackers have been thanks to unsecure passwords, this is dismaying if we consider that 60% of the world's population uses internet, and this number seems to only be increasing month by month. It is not surprising that there is a whole movement that seeks more convenient alternatives to protect our information.
Passwords are often the focus of attack by those ill-intentioned people who seek to get hold of our information or access critical systems to carry out their crimes. Although the function of passwords is to protect us, over the years they have proven to be vulnerable to various attack vectors such as brute force attacks, dictionary attacks or the use of social engineering being phishing the most recurrent example, in fact, it is estimated that 75% of companies in the United States have received a successful phishing attack.
Breaking down Passwordless
Passwordless authentication provides alternative ways to verify our identity, reducing maintenance costs, improving the user experience, and increasing security. This type of authentication proposes not to depend on memorizing passwords or entering them manually, while reducing the risk vectors of conventional passwords. Some solutions use the following models:
MagicLinks: Consist of sending by email a link to which the user enters as part of their authentication.
SMSMessages: For this solution it is necessary to have a cell phone, the user must enter his phone number, and this will receive a message with a unique code every time he wants to log in.
Other models rely on more direct methods but offer equally secure solutions, such as the following:
Biometricfactors: Uses the unique features of users such as: fingerprints, retinas, facial recognition, and even behavior as an authentication method.
FIDO2: FIDO2 is a free authentication standard, managed by FIDO Alliance and subject to the W3C standards for Web authentication, it also uses the CTAP (Client to Authentication Protocol) protocol that allows communication between different platforms and external authentication devices.
Perhaps at this point Passworless authentication resembles MFA (Multi-Factor Authentication), however, MFA proposes an extra layer of security for passwords, while the goal of Passwordless authentication is to rely on a single secure method to authenticate us.
What are some of the vulnerabilities?
The Passwordless Authentication model is an alternative for that "necessary evil" that includes traditional passwords, however, there are still details to be refined, many of the methods used have proven to have security problems, such is the case of authentication by Email and SMS (e.g. SIM sawpping), which have records of attacks in the past, affecting not only Passwordless solutions but also the MFA model.
Taking this into account, many providers are committed to strengthening their methods and maximizing security, while other providers opt for biometric solutions, which is affected by the increase in the efficiency of artificial intelligences which provide more sophisticated Spoofing attacks. Due to its benefits, Passwordless authentication is attractive, but training and raising awareness among users to adapt to the new paradigm is also a factor to consider.
Despite the risk vectors that Passwordless authentication has, it is still a "more secure" solution compared to passwords based on characters strings, although the road is long to find a solution that alone is "impenetrable", it is a significant advance to have alternatives that reduce the inherent risks of the current paradigm.
Although the main objective of Passwordless solutions is to be a single authentication method, it is attractive to use an extra layer of security that allows us to maintain the benefits, this combination form a strong team to get rid of some risk vectors such as Spoofing type attacks, a business environment is ideal to carry out this implementation, since the context to which the user will be subjected will be quite consistent, will allow better results without sacrificing the user experience.
Junior Security Engineer
BBC. (2013, November 08). Retrieved from BBC News: https://www.bbc.com/mundo/noticias/2013/11/131108_tecnologia_contrasenas_utilidad_kv
BND. (2018, August 03 ). Retrieved from BND: https://bnd.nd.gov/81-of-company-data-breaches-due-to-poor-passwords/
Cyberark. (n.d.). Retrieved from Cyberark: https://www.cyberark.com/what-is/passwordless-authentication/
Gillis, A. S. (n.d.). Techtarget. Retrieved from Techtarget: https://www.techtarget.com/searchsecurity/definition/passwordless-authentication
Johnson, T. (2018, December 16). Techxplore. Retrieved from Techxplore: https://techxplore.com/news/2018-12-passwords-ready.html
Johnstone, M. (2019, March 05). Theconversation. Retrieved from Theconversation: https://theconversation.com/receiving-a-login-code-via-sms-and-email-isnt-secure-heres-what-to-use-instead-112767
Onelogin. (n.d.). Retrieved from Onelogin: https://www.onelogin.com/learn/passwordless-authentication
Pathak, A. (2021, October 29). Geekflare. Retrieved from Geekflare: https://geekflare.com/es/passwordless-authentication-solution/
Proofpoint. (n.d.). Retrieved from 2021 state of the Phish: An in-depth look at users awareness, vulnerability and resilience: https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-state-of-the-phish-2021.pdf
Securemetric. (n.d.). Retrieved from Securemetric: https://www.securemetric.com/password-security-assessment/
Softwareone. (2021, June 01). Retrieved from Softwareone: https://www.softwareone.com/es-sv/blog/articles/2021/05/03/el-estado-actual-de-la-seguridad-de-la-contrasena-en-2021
welvesecurity. (2017, May 04). Retrieved from welivesecurity: https://www.welivesecurity.com/la-es/2017/05/04/dia-de-la-contrasena-origen/
Yubico. (n.d.). Retrieved from Yubico: https://www.yubico.com/authentication-standards/fido2/