{"id":1460,"date":"2020-07-09T09:30:00","date_gmt":"2020-07-09T09:30:00","guid":{"rendered":"https:\/\/contentsecurity.com.au\/?p=1460"},"modified":"2020-09-30T22:55:07","modified_gmt":"2020-09-30T22:55:07","slug":"the-death-of-the-password","status":"publish","type":"post","link":"https:\/\/contentsecurity.com.au\/the-death-of-the-password\/","title":{"rendered":"The prophesied death of the password"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Bill Gates predicted the demise of the password in 2004. Over a decade and a half later, are we really any closer to its foreseen death?\u00a0\n<\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Could the password be here to stay?<\/h2>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\tPassword use is an established part of our daily processes. We rely on them to access applications and services in both our work and personal lives. They are the lock and key to our digital identities and personal\u00a0data, and\u00a0are therefore one of the primary causes of costly breaches. While for users the password is a simple, convenient, seemingly cost-effective crucial layer of security, the password has also been the bane of IT security professionals.\u00a0\u00a0\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

The password poses a great challenge for information security<\/h2>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

CIOs and CISOs are faced with the task of both managing and supporting password use across enterprises. A large part of IT help desk responsibilities is allocated to dealing with credential resetting, replacement and revocation. One of the greatest frustrations for IT security professionals is user negligence towards modern password requirements and policies.<\/p>

With exponential growth in online data processing and increasingly frequent breaches, password policies have become progressively\u00a0more strict\u00a0as a measure of mitigation, with a focus on password complexity and uniqueness. Workers typically snub \u2018good password\u2019 practices because they are prone to choose convenience over security and only meet the minimal requirements of enforced security policies by choosing short and memorable passwords.\u00a0<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

The problem with password reuse and fatigue<\/h2>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Enforcing password security policies in the workplace is especially difficult when users are often guilty of credential reuse across\u00a0a number of\u00a0platforms, websites and applications. Password reuse is typically a symptom of password fatigue – where a user feels overloaded with the number of passwords to remember, especially when they are required to create complex passwords in frequent rotation.<\/p>

Credential reuse is a major contributing factor to a growing attack surface as the breach of a single account or application subjects the entire enterprise to a catastrophic domino effect, letting application after application fall.<\/p>

This malpractice also increases the user and their entire\u00a0organisation\u2019s\u00a0vulnerability to credential stuffing, as cyber criminals curate the login credentials from past breaches and inject these username\/password combinations into their targeted accounts.\u00a0<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

Password comfort vs password complexity<\/h2>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\tUsers adopt these lax password practices because they are not easily persuaded to trade their comfort for greater security. Most people are not motivated to change their password habits because they are unaware of the realities of data breaches and have not felt that their personal data was at risk. But how can you compel your users to protect personal and enterprise data? You cannot wait for the portents of a security incident or a breach itself to scare users into adopting good\u00a0behaviours.\n\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

The case for passwordless authentication<\/h2>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

This is why\u00a0emerging identity verification methods redistribute the trust placed solely on users and IT security professionals into user-friendly systems and devices.<\/p>

Passwordless\u00a0authentication eliminates the frustrations for users and professionals alike by using alternatives to textual passwords as methods of verification.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

Which passwordless authentication method has the potential to finally render the password obsolete?<\/h4>

\u00a0<\/h4>

Let\u2019s consider the options here:\u00a0\u00a0<\/h4>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Multi-Factor Authentication (MFA):\u00a0\u00a0<\/h3>

While two-factor authentication (2FA) and MFA methods are convenient and prevalent methods of identity verification, they work in conjunction\u00a0with\u00a0passwords, as an extra security barrier to unwanted access. During the sign-in process, users are asked to present two or more pieces of verification evidence.\u00a0 Like other methods of\u00a0passwordless\u00a0authentication, they rely on the user to provide a combination of identity factors such as: things you have, things you know, things you do, things you are or where you are.\u00a0\u00a0<\/p>

Once a user enters their password, they are then sent a single-use numerical code via SMS, or asked to answer a secret question,\u00a0e.g. \u2018What was your mother\u2019s maiden name?\u2019\u00a0Once these extra pieces of evidence have been presented, the sign-in process is completed. MFA decreases the probability that an account is being compromised but only replaces passwords in the sense that they are not the primary measure of security. They are typically easy to use and\u00a0implement, and\u00a0are reasonably cost-effective.\u00a0\u00a0<\/p>

Risk-Based Authentication (RBA):\u00a0<\/h3>

RBA solutions are used as an Identity and Access Management (IAM) technology that\u00a0takes into account\u00a0the context of the user\u2019s log-in and provides a risk-score based on the situation. If the system flags the situation as high-risk, the user is subject to stricter verification methods, such as 2FA or MFA.\u00a0<\/p>

For example, if a user takes more time\u00a0than usual\u00a0to type their password out\u00a0or attempts a log-in from two different locations within a short amount of time, these situations are flagged as higher risk and the user is\u00a0subjected to MFA or SMS-based authentication.\u00a0If the log-in is seen as low-risk, the user can authenticate their identity using a single password. RBA is effective because it monitors\u00a0behavioural\u00a0patterns and consults of a broader pool of contextual information to encourage better user practices.\u00a0<\/p>

Physical Token Authentication:\u00a0\u00a0<\/h3>

Hardware tokens are security keys – typically in the form of a USB. The user inserts this token into their device and is granted access to the system. While this removes the need to\u00a0memorise\u00a0textual passwords and information relevant to MFA security questions, physical tokens are still\u00a0fairly inconvenient.<\/p>

You cannot verify your identity without having the token on your person, and security keys are too easily misplaced or stolen. Once the physical token is lost, credentials must be revoked and replaced.\u00a0\u00a0<\/p>

Biometric Authentication:\u00a0<\/h3>

Biometrics are a compelling route for\u00a0passwordless\u00a0authentication and make for an interesting user experience. Biometric verification relies on unique identifiers, like physical and\u00a0behavioural\u00a0features. These include voice recognition, facial scanning, fingerprinting, heart monitoring and other biological distinguishers like hand geometry.\u00a0\u00a0<\/p>

It is an easy to use solution, but like all verification methods, biometric verification comes with its flaws. While\u00a0each individual\u00a0has their own unique biometrics, this does not mean the solution is\u00a0unhackable.\u00a0In the event that\u00a0facial recognition or fingerprint data is stolen these credentials must be completely revoked within the given system.\u00a0<\/p>

Biometrics are also notoriously inaccurate at times. Fingerprint scanning only involves reading partial prints and can therefore be fooled. Facial recognition systems are also known to have gender and racial bias, hindering their ability to accurately detect female faces and those with darker skin tones. In addition to inaccuracy, face scanning is also threatened by extreme improvements in\u00a0deepfake\u00a0technology that can trick the system.\u00a0\u00a0<\/p>

However, as this field becomes more sophisticated with the help of Artificial Intelligence (AI) powered systems, biometric verification can become a very promising avenue as an alternative verification method.\u00a0\u00a0<\/p>

Passwordless\u00a0Email and SMS Authentication:\u00a0<\/h3>

Both email and SMS based authentication methods use an existing logged-in session on one device to allow streamlined user access on a different device via a time-sensitive, single-use link or code.\u00a0 The user may receive a notification alerting them to authenticate the new session\u00a0e.g. \u2018You are logging into your account from an iPhone in\u00a0Coogee, NSW. Allow?\u2019\u00a0These tokens grant the receiving device with long-time verification and develop a trusted network of devices that can be added or removed by the user.\u00a0<\/p>

Again, these methods rely on verifying one\u2019s identity in the existing session – meaning the user still requires their password.\u00a0 While these methods are becoming increasingly popular, they are still at risk of being compromised in the same\u00a0ways\u00a0passwords can be alone.\u00a0 If a user is a victim of social engineering and divulges their password, then these single-use tokens can easily be stolen. The email link\u00a0tokens\u00a0or SMS codes can also be intercepted by a hacked mail server or rerouted to a cyber actor\u2019s fake cellular tower.\u00a0<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

So which authentication method will finally render the password obsolete?<\/h2>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

None of these solutions can work in isolation.<\/strong><\/h3>

\u00a0<\/h3>

Like textual passwords,\u00a0all of\u00a0these methods have their own flaws, and can be dangerous when used as a single solution.\u00a0\u00a0<\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Evidently, all\u00a0passwordless\u00a0authentication methods are still dependent on passwords to act as gatekeeper to some degree. While the password is seemingly undying, improvements in AI and machine learning powering biometrics and\u00a0behavioural\u00a0pattern recognition forward, we might see massive changes in user reliance on passwords in the very near future.<\/p>

When considering the implementation of\u00a0passwordless\u00a0authentication within your enterprise,\u00a0recognise\u00a0that each workplace demands a dynamic and layered solution.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

Password managers and security awareness<\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

For now, IT security professionals recommend layering passwordless solutions or IAM in conjunction with increased awareness about good security practices. User motivation can be a serious detriment to any organisation\u2019s security processes and a cybersecurity culture should be encouraged. In order to develop and enforce security awareness, consider implementing IAM tools, such as risk-based authentication, as these technologies continuously verify good user behaviour. Intuitive, streamlined methods, like biometrics, make passwordless adoption convenient and are consequently more enticing to use effectively.<\/p>

Password managers are also championed by IT security professionals as an added trusted system that enables user convenience. While they are password-centric in use, they are still a highly convenient way to secure credentials in combination with another solution.<\/p>

Overall, end users should collaborate with administrators to protect and manage their digital identities. The onus of managing hordes of digital identities needs to be shifted into IAM to\u00a0optimise\u00a0the management of user identities.\u00a0<\/p>

IAM allows for this shift of trust onto systems rather than individuals, and the added measure of freedom present in\u00a0passwordless\u00a0authentication methods can be very advantageous in helping end users secure a system and increase productivity.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t

For more information please contact our cybersecurity professionals today. <\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t