It’s Time To Ditch the Password In 2024
- By Jeffrey Kok, CyberArk
- January 08, 2024
We're all familiar with the dreaded prompt to reset a password every now and then. Creating new, unique passwords that meet set parameters is frustrating and tedious for many of us because they need at least eight characters, which must include at least one special character while avoiding sequential characters or dictionary words.
While this imposition on end-user experience sticks in our throats, enterprises have had little choice but to abide by them. Passwords have long been established to determine who can access what, including sensitive information. Indeed, simply by obtaining valid login credentials, attackers can breach defenses and stay undetected long enough to escalate their privileges and wreak havoc. But ironically, passwords and the measures aimed at protecting them aren't particularly secure anyway, despite causing end users so much grief.
To counter this, multi-factor authentication (MFA) emerged as a protective layer to stop unverified login attempts. For instance, MFA may ask users to verify themselves through a code sent to their secondary email account, phone number or an authenticator app. However, if nothing else, cybercriminals are a wily bunch who are armed to the teeth as the rewards when they succeed are so lucrative.
Nowadays, many threat actors are so advanced that they have what it takes to bypass MFA protections—from stealing browser cookies & OTP (One Time Passwords) to employing social engineering or MFA fatigue-based attacks. This brings the conversation back to passwords being the weak link in the security chain.
Passwordless authentication is the future
In a recent advisory, the Monetary Authority of Singapore (MAS) urged financial organizations to strengthen MFA with "passwordless" identity verification, citing mobile malware and Generative AI risks. This stood out as it raised the issue of ditching passwords altogether. A couple of benefits are a better user experience with authentication and, more importantly, no password credentials at risk of being stolen.
While not exactly new, passwordless authentication has only recently started gaining traction. It can use a range of means to validate users. This could be a QR code displayed on the login page, a one-time code via SMS, or even a physical verification key like a USB.
A good way to think about passwordless authentication is to utilize the same principle as digital certificates that use public and private keys. The private key resides on the device, while the public key is like a padlock on the applications users want to log in to.
What makes this more secure is that the public key can only verify if the digital signature on the private key can unlock it. Even the user trying to log in does not know the 'code' to unlock the public key.
This significantly reduces the risk of this information falling into the wrong hands. Passwordless authentication also reduces IT overhead by freeing up resources to assist end users with account unlocks and password resets.
Laying the foundations
However, passwordless technology is not a one-size-fits-all solution. Organizations must identify their unique requirements for their own passwordless authentication journey. Furthermore, going passwordless isn't something that can be done with the flip of a switch. That's because legacy systems are prevalent and dominant in Singapore and the rest of the world. These systems are deeply entrenched in IT infrastructure, requiring passwords to verify users. To that end, Identity and Access Management (IAM) will facilitate the transition to a passwordless world, provided they enable the following:
- Zero sign-on (ZSO) - An essential building block of a passwordless solution, ZSO leverages strong cryptographic standards that use contextual information, such as device information, to authenticate user IDs. Combined with other tailored passwordless authentication factors, ZSO positions organizations to enhance usability and security. For instance, logging in becomes more seamless as users are freed from additional authentication once their devices are verified and meet security posture requirements.
- VPN and VPN-Less secure remote access - With remote work becoming more entrenched, enabling employees to use a virtual private network (VPN) or VPN-Less Secure Remote Access technology to access the corporate network with adaptive MFA is recommended. This allows frictionless and secure remote access to the corporate network while enabling continuous evaluation via contextual and risk analytics.
- Self-service passwordless authenticator replacement - A true passwordless experience empowers users to self-enroll, as well as replace passwordless authenticators through the use of passkeys, which reduce the attack surface and minimize credential theft. Users should have the appropriate security controls, along with a wide variety of alternative passwordless authenticators to choose from. This will prove useful if a user loses their device, for example, as they can replace the passwordless authenticator factor with other appropriate security controls.
Passwordless authentication is gaining momentum, especially with major technology companies like Google, Apple, and Microsoft integrating passkey technologies into their systems. In 2024, organizations planning or preparing for passwordless projects will likely initiate pilots and projects to adopt this more secure authentication method. Passwordless authentication eliminates the vulnerabilities associated with traditional passwords.
Employing the right strategy
With the rise of cyberattacks and scams, users face multi-factor authentication (MFA) fatigue. This refers to when users become disenchanted while trying to authenticate their credentials. Furthermore, the rise of MFA circumvention techniques such as social engineering and malware theft of one-time passwords (OTP) underscores the need to eliminate passwords.
However, going passwordless is no small task, especially when dealing with thousands of users, countless applications, hybrid and multi-cloud environments, and complex login flows. Achieving an entirely passwordless environment involves a phased approach as technology evolves and user adoption increases. Just like any security-related undertaking, this will require strategic planning, and leadership must take the reins in identifying:
- Use cases most suited for passwordless authentication
- The riskiest users in the organization
- Passwordless factors that bridge security and convenience
- Steps to pilot and scale password elimination with no disruption or introduction of additional risk
Business leaders can navigate these considerations through the expertise of vendors who ensure a disciplined, organization-wide adoption that includes continued education. Organizations should focus on IAM providers' credentials by scrutinizing their vision of passwordless authentication—including what innovations and intellectual property protections they have.
That being said, passwordless authentication is but one piece of the enterprise security jigsaw. Keeping out threats still rests on seamlessly securing human and machine identities to ensure that organizations remain secure as attackers become more sophisticated.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Francisco Javier Ortiz Marzo
Jeffrey Kok, CyberArk
Jeffrey Kok is the vice president of solution engineers for APJ at CyberArk.