Most online applications today require a password. According to recent research, the average person must juggle 168 passwords.
For many online users, remembering and resetting these is a recurring annoyance.
So, while passwords have become the norm, they’re neither the most secure nor the most practical option.
Martin Lee is Technical Lead, Security Research for EMEA at Cisco Talos.
The reality is that passwords don’t last as long as they used to and they have become easy for adversaries to subvert.
Password fatigue means many users often reuse and recycle their passwords, typically making small changes to already weak credentials.
This leaves online users vulnerable to password-related attacks, such as credential stuffing, phishing or push-bombing attacks.
Thankfully, a better alternative exists: passwordless authentication. Passwordless lets you prove who you are without typing a password. Instead, it uses methods such as your fingerprint, face, or a security key on a device.
Not only does that ease the sign-in process, but it also makes it more difficult for attackers to fake. Despite its benefits, however, myths about passwordless authentication continue to persist.
Replacing myths with facts
The first common myth about a passwordless approach is the assumption that it is less secure than multi-factor authentication (MFA).
Many believe doing away with a password means skipping an important layer of protection. In reality, a passwordless approach is MFA, but in a slightly different way.
Traditional MFA relies on something you have, such as a mobile device, and something you know, like a password. Passwordless authentication combines the ‘something you know’ element with something you are, for example facial recognition or your biometric.
Removing the need for a password results in a frictionless login experience, and significantly reduces risks for users, and for the platforms and enterprise applications they are accessing.
It makes it nearly impossible for attackers to steal or fake a login, as they’d need to guess the correct pin and also have access to biometric data.
A secondary benefit of passwordless authentication is also the reduced burden on IT teams to resolve password-related incidents.
Considering U.S. based organizations allocate over $1 million for password-related support costs, adopting passwordless authentication could see significant time and budget freed up for more complex projects.
A password is not a pin
Another common myth about passwordless authentication is that a pin can have the same points of security failure as a password. That’s not true. A pin may look like a password, but it doesn’t work in the same way.
Password data is typically sent over the internet and often stored on a company server, exposing user credentials to external adversaries.
On the other hand, a pin is used to unlock a device locally meaning there is nothing for attackers to access remotely. Not only would an attacker have to physically possess a device to even attempt to access it, but even if a device is stolen, a pin can only be entered incorrectly so many times before the device is locked.
This makes pin access far more secure than passwords, and combined with biometric data, users can feel confident that their device is very unlikely to be compromised.
Passwords safer than biometrics?
A third common myth is the idea that passwords are inherently safer than biometrics. This myth was borne out of the early days of biometrics, when the technology was still in its infancy and headlines reported devices being fooled by fake faces or fingerprints.
Thankfully, those days are behind us, and many of the flaws associated with biometrics have been resolved. Today’s systems use features such as 3D mapping, infrared light and “liveness” detection to make spoofing extremely difficult.
Much like a pin, biometrics work locally. When a user attempts to authenticate via biometrics, they unlock a private key stored on a device. That key never leaves the device it is stored on, and nor can it be transferred to another device or site.
This makes biometric safe from remote access and attacks, and means attackers would have to possess a device and coerce its owner into unlocking it to access any data.
Passwordless: the key to frictionless sign-in experience
As with every new technology cycle or advancement, passwordless authentication is subject to myths and skepticism. For many organizations, passwordless is an important building block towards a zero-trust security strategy.
It can help organizations, both big and small, establish a single, strong user identity and trust, and can significantly transform the sign-in experience for customers.
But adopting passwordless authentication doesn’t happen overnight, and while the promise of better user experience, reduced IT time and cost, and stronger security posture seem like the ideal trifecta, organizations need to think carefully about how it is implemented.
Establishing a clear understanding of an organisation’s application landscape is an important starting point—thinking about which applications need protecting. This will help IT and security teams define the pre-requisites to get towards a fully fledged zero-trust strategy.
From there, IT teams should think about adopting a piecemeal approach with pilot deployments of passwordless authentication that can help iron out early issues, and address any user concerns.
Passwordless isn’t just a new, easier way to log-in, it has the ability to transform an organization's security credentials and its journey towards zero-trust. Taking the passwordless plunge is the first step towards the future of authentication.
We've featured the best private browser.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.