The Seismic Shift: Charging Past Passwords With Passwordless Authentication
Written by: Martin Dale Bolima, Tech Journalist, AOPG
It used to be that passwords kept personal and sensitive information safe. Nowadays, a password may very well be a free pass for the modern cybercriminal—savvy and sophisticated and all sorts of sly.
Last year’s region-wide hack, where malicious actors pilfered around USD $500,000 by hacking into multiple accounts in several banks in Southeast Asia, is a reminder that passwords are outliving their usefulness. In this elaborate ruse, hackers hijacked One-Time Passwords (OTPs) sent by banks via SMS and then diverted these OTPS into overseas mobile network systems.
Already in possession of the unsuspecting victims’ credit card details and mobile phone numbers, obtained ostensibly through phishing and social engineering, these hackers were then able to complete fraudulent credit card payments online. Despite such hacking incidents, the use of OTPs sent via SMS is, curiously, still favoured by three in five e-payment adopters in Southeast Asia—implying that there remains widespread trust in passwords.
It is a good thing because it shows increasing vigilance in security. But sticking with OTPs, or passwords in general, may not be the best idea. Not when going passwordless is an option.
Passwords Are Vulnerable and Outdated
Going passwordless means dropping passwords and instead using alternative identity authentication mechanisms, like biometrics. This represents a seismic shift given how long passwords have become staple protectors of accounts and other sensitive data but it is a change that needs to be made. The reason is simple: Passwords can be hacked, and there are a variety of ways to do it, including the aforementioned phishing and social engineering, as well as password spraying and keystroke logging.
To put it bluntly, there are just too many password-related vulnerabilities that can be exploited.
“The vulnerability of passwords is that they’re knowledge-based credentials and they sit on a server—and these are things a hacker can take advantage of,” explained Andrew Shikiar, Chief Marketing Officer and Executive Director at FIDO Alliance, in an exclusive virtual interview with Cybersecurity ASEAN. “Since the beginning of the password, it’s just been basically a shared secret where the answer sits on a server and you got to know it in your head. And to access that credential, you need to encode the correct ‘secret’ over the network, which creates two big openings for hackers. One, they can find a way to steal your password . . . And the other thing, which has been incredibly effective, is phishing . . .”
Phishing is on the rise, with Kaspersky blocking over 11 million phishing attempts in Southeast Asia alone. For all those foiled tries, however, there are a few that actually get through. Those that work like a charm can turn out to be a gold mine for the hackers, as was the case in last year’s region-wide phishing scam. Cases of phishing, therefore, are only going to go up because, in the words of Shikiar, “phishing works about 50% of the time.” It is also quite easy to phish nowadays no thanks to phishing toolkits available for less than USD $100 that even come with full professional support.
So, between the numerous ways hackers can decipher passwords and people still prasticing poor password hygiene (recycling passwords, using personal information as passwords and choosing easy-to-guess passwords), one thing is crystal clear: Passwords will always be vulnerable to getting hacked.
The Seismic Shift: From Password to Passwordless
The solution, again, is to ditch the password and go passwordless—something Shikiar highly recommends for organisations in whatever industry.
“Passwords are the leading cause of data breaches. Over 80% of data breaches, I believe, are caused by passwords, and it is causing businesses billions and billions of dollars per year,” Shikiar pointed out. “That’s a fundamental problem not only because it’s costing businesses money but it’s also eroding consumer trust . . . and as we go more digital, it’s critical for that trust to be installed and reinforced constantly. So, I think it’s important for businesses to move away from passwords—or at least reduce reliance on passwords.”
However, Shikiar knows fully well that shifting from using passwords to going passwordless is not happening overnight. Neither will it be easy. It will be a marathon, not a sprint but the infrastructure is already in place to support such a shift.
“I don’t want to sound flippant and make it sound it’s an easy thing to do because even though we have the technology in place, it’s still a significant shift,” said Shikiar, “But I think it [going passwordless] is the right move.”
At least for the meantime, Shikiar would like to see companies start that journey towards passwordless, and they can do so by implementing, at a minimum, two-factor authentication, so “they are not dependent on just passwords.” He also advised organisations to immediately put in place privilege access management toolkits and platforms “that limit the use of passwords so they are only in the hands of highly trained, sensitive people.”
Charging Past Passwords
From there, it is already about helping companies successfully move away from passwords.
The use of modern either modern multifactor authentication or modern passwordless authentication (or a combination of both) is the logical next step in this case, and both can be done using—what else?—FIDO technologies. These technologies, according to Shikiar, are built-in to pretty much all recent devices and browsers, underscoring an earlier point he made of passwordless infrastructure already being in place.
Possession-based, passwordless authentication is also gaining traction as a password alternative, and it is something major tech brands, like Apple, Google and Microsoft, are now offering in their core product offerings. Of these possession-based alternatives, biometrics have become the most widely used and are seen by 3 in 10 respondents in Asia Pacific as the most secure identity authenticator online. It is also the most used method to log in to online accounts, apps and smart devices.
At the enterprise level, companies can also go passwordless using the aforementioned alternatives or through some other way. In this case, among the common methods are the use of security keys or physical tokens from companies such as Yubiko and the use of actual apps, like those created by Hyper and other FIDO-certified members.
“There are tools ready to go which companies can licence now or implement today that take passwords out of play for their employees and also for their consumers,” Shikiar noted, while also pointing out how “these things take time.” Shikiar also emphasised the need for constant education so consumers will learn to not only accept new technologies but also to use them—and thus facilitate this shift from passwords to passwordless and restore any lost trust in the ideals of cybersecurity.
An Ongoing Shift
At least that marathon has already begun, and Shikiar is confident that passwordless will ultimately nudge passwords out of the picture— in part because building the technologies needed for a passwordless future, or major challenge 1, is “largely done.” Now it is on to major challenge 2, which is educating consumers so they are convinced to actually use these technologies. This is a bigger challenge to overcome but significant headway is being made on this front as well, according to Shikiar, as “there is a broad commitment to supporting consumers and employees in this journey.”
“It’s a multi-year process for certain but, little by little, we’ll see companies depending less on passwords for consumers and employees alike,” said Shikiar when asked about the future of passwordless authentications. “This [going passwordless] isn’t a farfetched idea. This is very real, and it’s happening today. And the pace of innovation and the pace of utilisation is only going to increase moving forward.”
That is bad news for hackers and their ilk, but good news for everybody else.