Is the Password Era Coming to an End?
Believe it or not, passwords have a surprisingly long history. Their origins stretch back to 11 BCE when Roman soldiers used them to distinguish friend from foe. Fast forward nearly two millennia, and in 1961, the digital password was born, thanks to MIT computer science professor Fernando Corbató. Even today, over 50 years later, passwords remain the most common form of online authentication.
We use passwords for everything from online banking and social media to email and work accounts.
The sheer volume of accounts we juggle makes it difficult to create and remember strong, unique passwords for each one. This often leads to password reuse, a security nightmare. But in today’s increasingly complex and threat-laden digital landscape, the password is starting to show its cracks. Hackers only need to crack one password to potentially gain access to a multitude of accounts. Furthermore, even strong passwords are vulnerable to phishing attacks, keyloggers, and man-in-the-middle attacks, where attackers steal login credentials through various methods.
These limitations are driving the rise of passwordless authentication, a not-so-new wave of security solutions that move beyond the traditional “what you know” (password) approach.
Passwordless authentication leverages a wider range of factors to verify a user’s identity, such as “what you have” (a mobile device, security token) or “what you are” (fingerprint, facial recognition). This multi-factor approach significantly strengthens security by making it much harder for attackers to gain unauthorised access.
The Growing Challenges of Password-Based Security
Koh Ssu Han, Solutions Engineering Director, ASEAN at CyberArk points out in an interview with Cyber Security ASEAN that the problems with passwords are multifaceted. One major issue is password reuse. “Due to the difficulty of coming up with and memorising strong passwords, many users resort to using the same password for multiple accounts,” Koh said. While this is understandable, reusing the same password across accounts creates a significant security risk.
For instance, this often will leave the users’ passwords “everywhere”, whether for personal or corporate use, thereby creating a single point of failure. If a hacker cracks one password, they can potentially access a treasure trove of accounts, including your social media or banking login credentials.
Further complicating matters is the increasing sophistication of cyber attacks. Phishing emails, disguised to look legitimate, can trick users into revealing their passwords. Not to forget, with the rise of generative AI, Koh stresses that it will make phishing attacks through emails or text messages even more difficult to detect, as usual indicators such as poor grammar don’t give away the ruse.
Koh then highlighted two other ways threats that cyber attackers use to circumvent strong passwords, namely the rise of keylogging and man-in-the-middle attacks.
Keyloggers, a type of malicious software that records keystrokes, according to Koh can silently capture login credentials as users type them in, while man-in-the-middle attacks allow attackers to intercept communication between a user and a website, stealing login credentials in the process.
You see, even with strong password policies in place, these attackers will not stop until they get what they want. Hackers will use brute-force attacks if they have to in order to gain access to your accounts.
The Urgency of Passwordless Authentication
The limitations of passwords are becoming increasingly apparent as cyber threats evolve, and Koh believes that “removing passwords from the equation significantly reduces the risk of an account being compromised.” He also said that instead of relying solely on passwords for verification, we can enhance security by using additional methods like mobile authenticators, security tokens, or even biometric authentication like fingerprints or facial recognition.
The Solutions Engineering Director, ASEAN at CyberArk believes that when you use other authenticating factors, it becomes more robust and adds another layer of protection against any attempts of people trying to steal your credentials.
Koh further emphasises that passwordless access has also been shown to enhance user experience and productivity. “The removal of complex password requirements and frequent password updates enhances security and simplifies the user experience,” said Koh. In addition, passwordless authentication can also lead to increased productivity by eliminating the need for password-related IT support tasks, such as account unlocks and password resets.
Not only that, with regulatory bodies like the Monetary Authority of Singapore (MAS) focusing their attention on the dangers posed by mobile malware and generative AI, which can be used to create highly convincing phishing attacks, passwordless authentication offers a compelling solution.
As of now, there are plenty of passwordless options that we as users can use. But with an abundance of options comes an abundance of headaches! Luckily, Koh took some time to shed light on the pros and cons of various passwordless authentication methods:
- Physical Tokens and Security Keys: These offer high security due to their “stateless nature,” meaning they don’t store login information. “This prevents loss of credentials if such systems are compromised,” explains Koh. However, they can add cost and inconvenience as users need to carry the token at all times.
- Biometric Authentication: This method offers convenience, verifying users through fingerprints, facial recognition, or other unique biological features. While highly secure, Koh highlights potential drawbacks: “It can be more expensive than other options, and its use also raises concerns regarding the storage of sensitive biometric data and the possibility of false positives.”
- Mobile-Based Authentication: This leverages users’ existing smartphones, offering a readily available and convenient solution. It utilises additional verification factors like PINs or One-Time Passwords (OTPs) received via SMS or push notifications. While offering an extra layer of security compared to passwords, it has limitations. “These are less secure than physical token or biometric authentication,” explains Koh. Phishing attacks or SIM-swapping can compromise these methods.
Planning for a Passwordless Future
Considering all these factors, the shift towards passwordless authentication appears increasingly necessary. However, achieving this goal demands meticulous planning and execution.
A successful transition to passwordless authentication hinges on three pillars, as highlighted by Koh: A meticulous roadmap, partnerships with trusted vendors, and continuous training.
- A well-defined roadmap charts the course for a smooth migration process, minimising disruption to daily operations.
- Partnering with reliable vendors with expertise in passwordless solutions ensures access to the necessary support and guidance throughout the transition.
- Training plays a vital role too. Employees need to understand the benefits and mechanics of passwordless authentication for a seamless user adoption process.
However, not all applications or user groups require the same level of security. Hence, “Organisations should identify the most vulnerable profiles,” advises Koh. By focusing on these areas first, organisations can strategically prioritise passwordless authentication for the most critical use cases. This measured approach ensures a balance between robust security and user convenience.
Additionally, a gradual transition is essential for minimising risk and disruption. “The transition should be gradual, with detailed plans for pilot cases,” recommends Koh. Implementing passwordless authentication in phases allows you to test and refine the chosen solution in a controlled environment.
Pilot programs could also provide a valuable opportunity to identify and address potential issues before a wider rollout. This phased approach minimises disruption to core business operations and mitigates potential security risks associated with a large-scale deployment.
Ultimately, while passwordless authentication offers a compelling solution, the path to adoption isn’t without its challenges. Selecting the right vendor, balancing security with convenience, and ensuring a smooth user experience are all crucial considerations. But perhaps the biggest hurdle lies in user behaviour. Decades of relying on passwords have ingrained habits that will be difficult to break. The success of passwordless authentication hinges not just on technology, but also on educating users about the security benefits and the ease of use that this new paradigm offers.
Are we ready to let go of the password, a security staple for so long? The answer will determine how quickly we unlock the door to a more secure digital future.