FIDO Alliance explains why it is time to get rid of passwords for good.
COVID-19 not only represented a human tragedy, but also a horrible period for cybersecurity.
That is according to a survey by Risk Based Security, which found that the number of records exposed reached a staggering 36 billion in the first three quarters of 2020 alone. The most exposed data types included access credentials in the form of email addresses and passwords. This is a stark reminder to everyone of the importance of maintaining good cyber hygiene, especially having unique, complex passwords for every site they access. Unfortunately, this kind of hygiene is not always widely practiced by consumers or enterprises. Take the SolarWinds attack for example, where the threat actor used password guessing, amongst other attacks, to successfully infiltrate corporate networks.
These data breaches have become increasingly more severe over the years, and it’s become clear that our collective over-reliance on passwords has become a liability. The very nature of passwords — a “shared secret” that sits on a server — makes them very easy to obtain and be reused through credential stuffing attacks. Simply put, passwords are no longer fit for purpose.
The good news is that we’re seeing seeds of change and improvement.
Is multi-factor authentication the answer?
Multi-factor authentication (MFA) is an IT authentication technique that requires a user to present at least two factors that prove their identity. This layered approach to authentication security is becoming increasingly popular with businesses, given its ease of deployment and integration with a broad range of applications. But while companies have been looking towards adopting MFA standards to reduce security risks, simply adding authentication layers on top of passwords is not the solution. Old MFA methods, like SMS or OTPs, are cumbersome for employees to use, requiring a separate device every time they log in to a system. They are unfortunately also still susceptible to attacks and can be compromised as they leverage the same shared-secret approach that passwords use.
Just last year, an Android malware buried within a seemingly-innocent currency converter was found to bypass typical two-factor authentication (2FA) account protections and read text messages that may contain one-time passcodes (OTP) and 2FA codes.
Given this, it’s time businesses look at a solution that ditches the need for passwords altogether.
Out with the old, in with the new
Newer MFA methods, especially those that are passwordless, eliminate the problems that weak passwords bring. That means better security for organizations, because passwordless authentication methods defend against various types of cyberattacks.
Essentially, the vulnerabilities associated with passwords decrease if there are no credentials to steal or hack, thereby improving overall cybersecurity. Benefits of modern, passwordless authentication methods also go beyond security.
The FIDO standard, for example, is designed around public key cryptography which ensures that login information cannot be intercepted by hackers as it never leaves the local device. For users, it also means they have more control during their logins and don’t have to worry about account takeovers. More importantly, there is no longer a need to remember or type passwords leading to a better user experience. This industry standard allows users to use the same thing they use to unlock their device, like a fingerprint or facial scan, or physical security keys to login. Leveraging everyday devices like smartphones, PCs and security keys makes it much easier for businesses to deploy and manage, while still keeping it convenient for the users.
There is no doubt that the world will continue to grapple with increasingly sophisticated cyberattacks at an even scarier pace. Nonetheless, this lesson on authentication is one that we must learn. We have to be willing to take the step towards change, and embrace modern passwordless MFA — especially those based on industrial standards already backed by leaders — for a more robust security.