Are We More Secure without Passwords?
While there are many ways to improve the security of passwords, there are still a number of flaws in the fundamental concept of a password-based system. Passwordless authentication is an option that provides secure access while addressing some of these flaws – let’s take a look at what it means to be passwordless and how this type of security model might benefit your organization.
A little Password History
First, let’s look at the origins of password-based systems. One of the earliest uses of computer passwords was at MIT over six decades ago when researchers who were timesharing a single disk drive wanted to avoid accidentally writing over one another’s work. They initiated a simple password system to avoid deletions and overwrites. However since early passwords were stored in clear text, they were not necessarily secure.
Years later, a cryptographer named Robert Morris devised a system known as hashing, which is still used to this day. This system takes a string of characters and transforms them into a series of numbers, so that you’re not storing clear text anymore. This keeps the password relatively secure, but it’s not a viable cybersecurity system because it doesn’t verify who is using the password.
The central problem with passwords is they are easy to acquire. Passwords can be guessed, stolen, or coerced via social engineering or phishing. To mitigate risk, we are told to use long, complex and “strong” passwords with varying alphanumeric and special characters, but these are then difficult to recall, manage and store. Add password reuse – which is very common – and you can see the huge scope of the password problem.
With SaaS business applications, the password problem is exacerbated. A threat actor doesn’t need to hack through your corporate firewall to access company data, they can simply log directly into an online account – like a CRM or email application – and use your stolen credentials. The lack of verification, such as multifactor authentication, is what makes this scenario possible. However, recent research from Microsoft shows that 99.9 percent of compromised Microsoft accounts were not using Multi-Factor Authentication, so while multi-factor can be quite effective, the best solution in the world is useless if you don’t actually use it.
So, what if you don’t use passwords?
There are typically 3 factors that can be used for authentication. Something you know, something you are, and something you have. A passwordless system is an authentication method that lets you access a network, SaaS application or your computer without requiring a password or knowledge-based secret (something you know). This can mean biometric authentication, like a fingerprint or voice or facial recognition (something you are) – or a physical token or smart card (something you own) that can verify your access and permissions to access specific resources. The ideal and recommended scenario for passwordless authentication would still include multiple factors. Pairing something like a fingerprint scan with a USB hardware token would provide strong authentication, no passwords to remember, and a positive user experience.
What makes passwordless authentication a better solution than standard passwords?
- Standards-based asymmetric key or public key cryptography makes them very secure – you can’t guess at or fake the private key necessary to unlock the public/private pair.
- Simplicity – no more memorization of long sets of passwords – just your finger or your face unlocks access.
- Easy, positive user experience. Fingerprint readers and facial recognition camera technology has come a long way, and both are commonplace. And in the world of security, anytime we can improve the user experience while actually increasing security is a win.
Want to see how you stack up against your peers when it comes to security readiness? Take our Logicalis Security Maturity Survey and answer a series of “Yes” or “No” questions that you should be able to complete in under 15 minutes. Your answers will be scored against Logicalis’ security maturity model which provides a quantitative score from 1 to 100 in four sections (Program, Network, Endpoint, and Cloud) as well as an overall score from 1 to 100. Take the Survey.
Want to learn more about Passwordless authentication? Join Logicalis’ Ron Temske and Cory Kramer as they discuss further on Simply Secure: Passwordless Authentication Podcast.
Ron Temske is Vice President for Cybersecurity, Network and Workplace Solutions at Logicalis, Inc.