World Password Day 2024: In search of passwordless solutions

Although we know that passwords can be cracked, disclosed or stolen and then used against us, many people and companies still rely on them. There are various reasons for this. Understanding these is essential to strengthening our passwords or moving away from them in favor of more effective authentication solutions. Passwords are simply practical: both users and IT administrators are familiar with how they work, they are easy to implement and require minimal investment and existing infrastructure. They require no additional hardware and almost every device and application supports password authentication.

Less dependence on passwords

Anyone considering alternatives to passwords needs to balance security, ease of use and scalability to ensure a seamless yet secure user experience. Too much complexity in authentication processes will only lead to users finding ways to circumvent them. Companies that want to move away from passwords without overburdening their users have a choice between:

Two-factor or multi-factor authentication (2FA or MFA):

These methods have now become the standard for many applications. With 2FA, users must present two factors of identification before gaining access to the device or application. Typically, these factors include something they know (e.g. a password) and something they have (e.g. a code they can share via a mobile device). The additional time and complexity are comparatively low. MFA adds additional layers of authentication, e.g. something that is unique to the user (biometric authentication) or something that they perform (behavioral biometric authentication). However, in recent years, attackers have increasingly learned to circumvent 2FA and MFA through targeted phishing or by exploiting "MFA fatigue" by flooding users with fake login notifications until they wave one through.

Single Sign-On (SSO):

SSO allows users to access different devices or applications with just one set of credentials. This reduces the need for passwords and improves the user experience. This approach is very effective for company or organization-internal logins, for example, but is often time-consuming to implement and set up. SSO can also be risky if it is extended to logins on the Internet and access is gained via the login data for popular services and websites such as Google, Facebook, Yahoo, Apple or Microsoft. The login itself then becomes simple. However, if an account with one of these providers is compromised, the attacker can access any other account for which the SSO is used. In addition, data is often exchanged between the individual providers, which many users are not aware of, but also do not want.

Biometric authentication:

These include methods such as fingerprint recognition, facial recognition, iris scanning and voice recognition. Behavioral biometrics, on the other hand, is based on the recognition of typing or device usage behavior. Biometric authentication methods offer a high level of security while being user-friendly, as users do not have to remember passwords or answers to security queries. In addition, many users are already familiar with them, as many end-user devices already have biometric authentication capabilities, which can facilitate and accelerate the deployment and adoption of these methods on an enterprise-wide level. However, not every device is suitable for biometric authentication and implementing the required technology can be very costly. In addition, users must agree to use their biometric data in a professional context.

Hardware tokens:

These physical devices generate unique, often time-limited codes or cryptographic keys for authentication as an additional layer of security for logging in. An attacker would need physical access to the token and would also need to know the user's login details to gain access to their account. The disadvantage: a forgotten password can simply be reset, but a lost hardware token must be replaced. In the meantime, an alternative back-up process must also be set up for logging in.

Certificate-based authentication:

This approach is based on digital certificates issued by a certification authority in combination with public key cryptography to check and verify the user's identity. The certificate stores identification-relevant information and a public key, while the user himself has a virtual private key. This authentication method is suitable, for example, in cases where companies employ contractors who require temporary access to their network. However, implementing this method can be comparatively costly and time-consuming.

There is also another dynamic approach: risk-based authentication. When a login attempt is made, the associated risk of unauthorized access is first determined based on various factors such as user behaviour, location and device information and the authentication requirements are adjusted accordingly.

To ensure the highest possible level of authentication security, the focus of those responsible should not be on eliminating passwords, but on reducing dependency on them. Passwordless approaches rely on alternative or additional authentication methods that, like those mentioned above, are both secure and user-friendly, often as part of a broader zero trust approach. Both passwordless access and Zero Trust help to increase the security of devices, users and networks in an ever-changing threat landscape without compromising the user experience - and in combination, end our reliance on passwords.

Source: www.barracuda.com