Passwordless Authentication
Passwordless Authentication
Is Passwordless Authentication the Future?
On average employees of any organization are required to create around 10 to 30 complex and unique passwords, which are to be remembered, and changed frequently. This leads to the reuse of the same weak passwords, sticky notes filled with passwords, and frequent reliance on the ‘forgot password’ function. According to Verizon Data Breach Investigations Report, this is why 80% of cyber breaches are due to compromised passwords. Password Authentication can be a solution to such a problem,
What is a Passwordless Authentication?
The Passwordless model is not a single sign-on, multi-factor authentication, or the use of OTPs via SMS or email, it is a model that uses ‘possession factors’ that uniquely identify users. This user authentication method can include a one-time password generator, a hard token, biometrics, or a registered mobile device. In short, it removes the problem of creating weak passwords and creates a better user sign-in experience as the users are not required to create, remember or store the passwords.
What does Passwordless Authentication Prevent?
Password Spraying
Password spraying is an attack that tries to acquire a large number of accounts with a few commonly used passwords. The passwordless model removes the problem of creating weak passwords that are immune to this hack
Notable Password spraying Attacks:
Credential Stuffing
Credential stuffing is a type of cyberattack where stolen account credentials obtained from large breaches are used to gain unauthorized access to user accounts by using the ‘account checker’ program where the hackers activate large-scale automated login requests directed to the web application. Passwordless removes user-generated passwords which Credential stuffing relies on, and in turn, the risk of credential stuffing.
Notable Credential stuffing Attacks:
Spear Phishing
Phishing is a cyber attack that uses disguised email as a target weapon where the goal is to trick the email recipient into believing that the message is from a trusted entity or a person. Spear phishing attacks rely on fraudulent communications in the form of an email with a business email compromise incident. With Passwordless Authentication, the users are never prompted to reset or update passwords, meaning users will know that any such request is an attempt by a cybercriminal.
Notable Spear Phishing Attacks:
Brute Force Attack
A brute Force Attack is where the attacker tries repeated login attempts using every possible letter, number, and character combination to guess a password. Hackers target systems that rely on passwords as a first factor and Passwordless authentication does not use passwords as the first factor of authentication, thus preventing brute force attacks.
Notable Brute Force Attack:
Keylogger Malware
This attack involves the use of a keystroke logging program to record and captures passwords. This program can be planted in legitimate websites or in a phishing mail that contains commands to download a keylogger file that a user can activate with a simple click. But even after successfully getting a user to download a keylogger, hackers still need the victim to type in their passwords so they can be recorded. If passwords are not being entered, nothing captured by the keylogger will grant an attacker access to accounts.
Notable Keylogger Malware Attacks:
2019 Chinese Intelligence Campaign Against U.S. Tech
Shoulder Surfing
Shoulder Surfing is simply stealing a user’s credentials by literally peering over their shoulders while the user is typing the credentials. This is typically seen as a simple method with a high success rate. When users are no longer entering passwords, there is no longer any information being exposed that would potentially give a peeping hacker illicit access.
Notable Shoulder Surfing Attack:
2016 California Shoulder Surfing Spree
Final Thoughts
It is good that Passwordless authentication is finally getting its real traction even though it is still evolving. Businesses should understand that moving beyond passwords requires major upgrades in IT and business processes. We can expect most of the employees and users to be skeptical about this approach and they may also assume that this new approach will be daunting and complex. These challenges should stop businesses from going passwordless. Real Secure can help businesses evolve to the next stage of digital authentication by fixing necessary processes and layers before boarding the password-free journey!
Find more about our Cybersecurity Consultancy Services.