R.I.P. passwords. Hello peace of mind

Discover the best passwordless authentication tools to secure against remote based attacks.

istock 1337837834

It is estimated that an average user has close to 100 passwords that they use across various applications and services. Almost two-thirds of users re-use the same password across multiple accounts with 13% of users re-using the same password across all accounts. Verizon’s 2022 DBIR found that weak or compromised credentials are the source of over 80% of data breaches.

When users have great password hygiene and use appropriate length and complexity of passwords, they face the issue of forgetting their password and having to reset them and potentially still getting locked out of their accounts. Forrester Research found the average help desk labor cost for a single password reset is about $70. This does not consider the lost productivity for a user, compounded by the many password resets done in a year. In addition, it also leads to lost revenue on the consumer side when users abandon shopping carts on e-commerce sites due to the friction created and poor user experience of trying to reset forgotten passwords.

One answer to these problems is the use of password managers, but there is an associated cost to using a password manager and even then, it is not 100% safe as it can still potentially be compromised using an account take over (ATO) attack.

Going passwordless

Technology in the authentication space has rapidly evolved to support stronger forms of authentication including multi-factor authentication and passwordless options that eliminate the poor security hygiene and user experience of passwords. However, some forms of passwordless authentication are more secure against remote based attacks than others. Below are a few passwordless authentication options to consider when going passwordless.

Mobile Push Notification – This authenticator involves the use of biometrics in the form of face ID or touch ID to unlock your mobile device to allow a push authentication. Yet it is still vulnerable to prompt bombing or MFA fatigue attacks, as seen recently in the news.

Mobile Time-Based OTP – These are soft token authenticators that generate new codes every 30 seconds or so. They are more secure since they include biometrics to unlock but are still vulnerable to phishing and AiTM attacks.

Mobile Push + Mutual Authentication – This method combines mobile push notifications with mutual authentication tokens to provide additional protection. In this method, the user may also be shown a mutual authentication token on the website or app they are trying to authenticate into. They must confirm on their mobile authenticator app, which adds an additional layer of protection, but is still vulnerable to a sophisticated Adversary-in-the-Middle (AiTM) attack.

The above authenticators, while adding higher security than the basic password, may satisfy some use cases or levels of assurance. However, for higher security and assurance, organizations must consider authentication that involves the use of PKI-based smart credentials or FIDO2 tokens.

FIDO2 Key – FIDO2 keys are physical keys like USBs that a user plugs into the desktop. Some of them also have a place for scanning your fingerprint as a second factor of authentication. The key contains encrypted information, which is used to authenticate user identity when plugged in. Once used successfully, the user is automatically logged into the system and gains access to all relevant applications in a single session.

High Assurance Credential-Based Passwordless Access – Credential-based passwordless access provisions a digital certificate onto the user’s phone (mobile smart credential), transforming it into their trusted identity. Due to Bluetooth®/NFC capabilities, as the user walks toward a workstation, a connection is established between the mobile device (where the smart credential resides) and the desktop. There can be two options to passwordlessly log in from here – either the system gets unlocked when the user is asked to provide their fingerprint or face ID on the smartphone, or the desktop prompts the user to enter a PIN to log in. In the same session, the user can also connect securely with a remote desktop and SSH.

FIDO2 Passkeys – This is a newer passwordless authentication method that is gaining importance and adoption due to the improved user experience and security. In this method, when a user tries to authenticate into an application or service, the application issues a security challenge to the registered smart device in proximity (confirmed via Bluetooth). The user then uses biometrics to authenticate the passkey on the mobile device, which is then used to sign and send back the challenge. Bluetooth® requires physical proximity, which means that there is now a phishing-resistant way to leverage the user’s smartphone during authentication. With this capability, the user’s phone will be able to upgrade to a higher security level (phishing resistance) without the need for the user to carry a specialized piece of authentication hardware (security keys).

It’s important to note that any of the above passwordless solutions can be combined with single sign-on (SSO) for an additional layer of security, where the user can seamlessly access applications using federated identity protocols like SAML/OIDC.

Learn more about how Entrust Identity as a Service (IDaaS) can help implement passwordless solutions for your users for any use case across both workforce and consumer / citizen user groups.


Copyright © 2023 IDG Communications, Inc.