In a digital world, passwords are akin to your house keys. Yet, many use simple and predictable passwords across our digital accounts and devices.
Case in point: The three most common passwords globally last year were “password”, “123456”, and “123456789”. It is, therefore, not surprising that the FIDO Alliance found passwords to be the root cause of 80% of data breaches.
Password attacks are on the rise. “Password authentication is still prone to various cyber attacks such as brute force attacks, phishing, dictionary attacks and credential stuffing. Last year, Microsoft Security’s technology blocked more than 900 brute force password theft attempts every second, and password spray attacks are still increasing,” reveals Microsoft Singapore chief security officer Dennis Chung.
Agreeing, chief technology officer at digital identity verification provider Jumio Corporation Stuart Wells adds: “Cybercriminals are getting better at disguising themselves as trustworthy entities to obtain sensitive information and becoming more sophisticated with their attacks to figure out new ways to phish user credentials. For example, while the typical strategy would be emails or text messages that link to fake login pages, a method that is on the rise involves a link that automatically installs malware that tracks the user’s activity and their keystrokes to reveal sensitive information, unbeknownst to the user.”
A common way of strengthening the security of an online account is by using one-time passwords (OTPs). While this adds an extra layer of authentication, OTPs also are fallible to cyberattacks. Wells explains: “[Similar to] ‘traditional’ passwords, OTPs are knowledge-based secrets that sit on a server and can be stolen from users by cybercriminals remotely. This is evident in the OCBC Bank phishing scams in 2021, where cybercriminals tricked victims into revealing their banking credentials, including OTPs, resulting in more than $13 million losses.”
The ‘no password’ advantage
See also: Keys to achieving human-centred automation testing
As we become increasingly dependent on online services, the FIDO Alliance believes passwordless is the future of authentication. This is why the industry association is working on changing the nature of authentication with open standards that are more secure, more straightforward for consumers, and easier for service providers to deploy and manage.
“Instead of relying on knowledge-based authentication such as passwords and OTPs, users can authenticate themselves through simple yet stronger verification methods such as on-device biometrics, security keys or security tokens that leverage public key cryptography in user-friendly formats. This can be as easy as using a smartphone’s biometrics or pressing a security key. Users no longer need to remember complex passwords for different accounts — ending password reuse and offering excellent convenience for everyone,” says Andrew Shikiar, FIDO Alliance’s executive director.
Biometrics and security tokens are generally considered more secure than passwords as they are unique to the user, says Ben Goodman, senior vice president and general manager for Asia Pacific and Japan at Okta, an identity and access management company. Those authentication methods can prevent cyberattacks that rely on passwords, such as phishing or credential stuffing, wherein attackers use stolen usernames and passwords to gain unauthorised access to other online systems or services.
See also: Human element still important for effective mass communication
[Moreover, those methods can help protect organisations from] brute-force attacks as the threat actor cannot try multiple combinations to guess the correct authentication method, and prevent man-in-the-middle attacks as bad actors cannot intercept the authentication method and use it to gain access to the user’s account.
Ben Goodman, senior vice president and general manager for Asia Pacific and Japan, Okta
As biometrics is still considered a nascent technology, there may be concerns about its accuracy and trustworthiness. Advanced technologies such as liveness detection, adds Jumio’s Wells, can help organisations determine the user’s physical presence behind an app and even detect deep fakes.
He continues: “Such technologies have sent fraud levels plummeting as most fraudsters often abandon the process as soon as they learn that they are required to take a live selfie. It would require an unimaginable amount of investment into bleeding-edge technologies for cybercriminals to sneak past biometrics solutions successfully. Even if the investment is made, advanced liveness solutions always evolve to thwart sophisticated spoofing attempts.”
Organisations can also improve their operational efficiency with passwordless authentication methods. Maintaining password-based logins, says FIDO Alliance’s Shikiar, can be costly as lost and forgotten passwords need to be reset, introducing considerable employee downtime and expenses for organisations.
Eliminating passwords reduces operational costs associated with password recovery while maximising employee efficiency.
Andrew Shikiar, executive director, FIDO Alliance
To stay ahead of the latest tech trends, click here for DigitalEdge Section
Long way to go for APAC
According to The State of Zero Trust Security in Asia Pacific 2022 study by Okta, 0.5% of organisations in Asia Pacific have implemented passwordless access and only 10% plan to do so in the next 18 months.
Factors impeding the adoption of passwordless authentication include a shortage of skilled talent (31%), lack of stakeholder buy-in (18%) and lack of awareness of Zero Trust security solutions.
Okta’s Goodman also highlights that organisations fear jeopardising user experience if upgrades are not executed well. “With much emphasis placed on online collaboration and team dynamics today, the last thing an IT leader wants is to jeopardise the effectiveness of team members with a Zero Trust set-up that is too onerous or difficult to use.”
Similarly, OPPO Software Security director Andrew Wang believes it will take time to change users’ behaviour to embrace passwordless authentication.
Providing a seamless, easy-to-use, and user-friendly experience is still a big challenge. It is important to educate and guide users on how to authenticate from their mobile when they are using desktop browsers and how they can back up their keys across devices. All these will require a good user experience guide or standard for service providers to follow.
Andrew Wang, director, OPPO Software Security
Microsoft’s Chung notes that compatibility with legacy systems and applications might hinder the uptake of passwordless authentication in the region. “Some organisations may also prioritise other security measures, resulting in them overlooking the basic requirements for identity security and authentication, which should be a fundamental focus.”
The passwordless strategy
A best practice for implementing a passwordless strategy, says FIDO Alliance’s Shikiar, is to start with an internal pilot with a subset of users before broadening the deployment.
He continues: “Once the decision has been made to proceed, organisations should focus on implementing cryptographically secure, possession-based multi-factor authentication, which is immune to phishing and other remote attacks. Ultimately, whichever password replacement technologies organisations choose should make passwordless authentication simpler, yet more secure for users and easier for service providers to deploy and manage.”
Organisations should also adopt multi-modal biometrics for identity verification.
There are already biometric verification technologies available in the market, including facial, fingerprint, and iris recognition, each with its advantages and disadvantages. Introducing an additional level of biometric verification to the authentication process will add another layer of insulation between companies and malicious actors. Organisations in high-risk industries, such as financial services, can consider incorporating additional fraud checks and signals, including geolocation or physical and behavioural biometrics.
Stuart Wells, chief technology officer, Jumio Corporation
Still, he warns that relying on multiple solutions and scaling the systems as the business grows will increase operational resources and costs. The lack of data integration across different solutions often hinders efficiency. Companies should embrace an integrated solution to streamline identity authentication and save operational costs.
Wells adds: “They could also partner with an experienced integrated identity verification provider to unlock a full suite of online identity verification solutions that leverage liveness detection, machine learning, biometrics, and any necessary manual reviews to deliver faster and more reliable ways to verify remote users and detect online fraud. Most importantly, as these solutions do not require additional steps from the end user, they pave the way for a smooth onboarding process and a frictionless customer experience.”
Organisations should ensure they can secure their security keys if they embrace a passwordless authentication approach. OPPO’s Wang explains that FIDO passwordless authentication mechanism uses the public key stored in the FIDO server, and the decrypted private key is stored in the user’s operating system, browser or devices.
If the end-user is attacked by phishing emails, hackers will not be able to reach the FIDO private key stored locally, and the attack will not be successful. Keeping the private key safe is crucial, just like a blockchain wallet.
He continues: “We will need a secure place to store the private key and a trusted environment to sign with the private key. This calls for devices to provide secure storage and an environment to use the key safely. On Android devices, those things are usually kept within the Trusted Executing Environment, which keeps the private key within the vault without leaking it to Android. We can use hardware-based protection solutions like Secure Enclave Processor if we need more high-level security.
“[Moreover, it is important to note that] FIDO enhances the security during authentications. Following the initial authentication, organisations still need to pay attention to further authentication, monitor unusual behaviour, and deploy Zero Trust solutions. This will include ensuring the system checks the user’s identity every time confidential information is accessed, even after the initial verification of the user’s identity.”
Overcoming challenges
Okta’s Goodman says passwordless authentication is not a cure-all. It is, however, just one part of the overall cybersecurity apparatus that enables organisations to achieve a Zero Trust security approach, a framework based on the assumption that every user, device and IP address accessing a resource is a threat until proven otherwise and requires organisations to implement rigorous security controls to verify anything that attempts to connect to the corporate network.
“By adopting Zero Trust security, organisations can position themselves to overcome the challenges presented by hybrid work by adopting an identity-centric approach to network and resource access rather than relying on outdated security models based on the traditional network perimeter,” he says.
Zero Trust, adds Microsoft’s Chung, is a journey and covers many aspects necessary for an organisation to achieve an in-depth defence.
For a start, Zero Trust relates to areas including identity, access management and controls and network restrictions. Organisations can improve their posture by implementing controls on where and how credentials can be used. For example, they can set rules to require credentials when approved devices are used and connected on a secured network before granting access to systems or data.
Dennis Chung, chief security officer, Microsoft Singapore
He also recommends organisations implement an information control system to encrypt and protect what matters most to their business. “Should data be exfiltrated while under protection, organisations can perform crypto-shredding [to delete or overwrite the encryption key to the data], or render the documents useless if conditions of use are not met.”
Besides that, practising good cybersecurity hygiene is still vital. “While passwords are the root cause of 86% of hacking-related breaches, organisations should still adopt a robust cybersecurity posture to ensure their business is protected on all fronts. This should include training employees on best security practices like identifying and reporting suspicious activity and conducting regular vulnerability assessments to spot potential security weaknesses,” says FIDO Alliance’s Shikiar.