Passwords have long been the default security method for protecting all manner of accounts, both professional and personal. Although better than having no protection at all, passwords have been proven to fall susceptible to today’s most common cyber attacks and are prone to common credential stealing scams such as phishing, password spraying and man in the middle (MitM) attacks. They are undoubtedly the least effective method of securing online data.
As a result we are seeing more and more organisations (and individuals) moving towards passwordless authentication whereby accounts are secured with alternate methods to the traditional username and password combination. Organisations looking to steer their cybersecurity in this direction are strongly advised to consider opting for strong multi- or two- factor authentication (MFA/2FA) solutions to integrate into their overall cybersecurity strategy. Both MFA and 2FA authentication solutions require a user to present two or more forms of identity verification as an added layer of security to permit
However not all multi/two-factor authentication is created equal. For example, one-time passcodes (OTPs) sent by SMS and mobile authentication apps are the most popular forms of 2FA. And while any form of 2FA offers better security than just a username and password combination, they are vulnerable to phishing, MitM attacks, SIM swapping and account takeovers. What’s more, on the usability side, keying in an OTP may seem relatively easy, but multiply that by the number of logins and apps used each day, and friction soon stacks up. Added to which, it relies on the user’s device being charged and having a signal at a precise moment in time.
Delivering strong security without compromising usability has never been more important than in the era of remote working. Driven largely by the pandemic, hybrid working practices are here to stay, and businesses must ensure that their security strategies are fit for purpose. Our 2021 research into ‘cybersecurity in the work from anywhere era’ found that 42% feel more vulnerable to cyber threats while working from home, with 39% feeling unsupported by IT, while 62% reported not having completed cybersecurity training for remote work.
Despite the seismic shift in working practices that we’ve witnessed over the last two years, even some of the world’s largest companies continue to struggle with passwords and legacy MFA solutions such as OTPs. Many are also now experiencing successful attacks against employees’ use
of push notification systems. Authentication schemes that rely on the use of symmetric secrets (e.g. passwords and one time passwords) and systems that are susceptible to accidental acknowledgement (in the case of push notifications) are among the most serious and fundamental security problems faced today. However, they are in continued use around the world and we are simply not seeing the same focused approach to solving this issue as we’ve seen in other areas of information security.
As a ‘quick-fix’ solution, organisations often implement approaches to mitigate incremental changes to the attacker’s approach. For example, this can include increasing password length, regular mandatory resetting of passwords, requirements around character combinations, and using technology to compare passwords against known breached passwords. These approaches are fundamentally flawed, however, and continue to delay the introduction of authentication systems. In order to make meaningful progress toward stopping the increasing level of attacks of these legacy mechanisms, it is important that
we stop trying to fix them and start considering them as vulnerabilities, just as we’ve done with other legacy solutions (e.g., MD5, SSL, and telnet).
For example, FIDO2, an open authentication standard hosted by the FIDO Alliance, offers expanded modern authentication options including strong single factor (passwordless), strong two factor, and multi-factor authentication. FIDO is a set of authentication protocols specifically aimed at providing secure authentication, protecting users’ privacy, and reinforcing existing password-based login processes. FIDO2 reflects the newest set of digital authentication standards and is a key element in addressing issues surrounding traditional authentication and eliminating the global use of passwords. It allows users to easily authenticate via devices with built- in security tools – like fingerprint readers, smartphone cameras, or hardware-based security keys – to access their digital information.
Phishing-resistant protocols implemented within a physical security key, which are FIDO2- enabled, are considered best of breed solutions to stop sophisticated cyber attacks like phishing in their tracks. More and more corporations are now opting for MFA solutions and FIDO2 protocols also supported by global organisations, OS platforms, and online browsers including Apple, Salesforce, Twitter, Google, Microsoft, and the US Government.
The road to passwordless is not always smooth or linear. However, organisations can make the journey easier for themselves by making sure to factor their users in at every stage, and by focussing on interoperability. Hardware- based security keys provide strong authentication while at the same time reducing friction at login, compared with other multi- stage authentication protocols. Ultimately, the right passwordless solutions should make life easier and more secure for all users: a win-win for everyone this Cybersecurity Awareness Month.