Despite increases in cybersecurity spending, stricter regulations, and awareness education and training, cyberattacks continue their upward trajectory. In 2021 alone, there was a 125% increase in incident volume year-over-year. Password credential attacks represented the most successful method for gaining unauthorized access. According to the Verizon 2021 Data Breach Investigations Report, 61% of breaches involve compromised credentials.
Passwords are also frustrating, especially when attempting to comply with well-intended, but complicated, password policies that require ever-more complexity and frequency of password changes. While this produces a marginal increase in security, it causes passwords to become even more difficult to remember and type. A recent LastPass study found that 65% of people reuse passwords across accounts. Newer authentication technologies that remove passwords from the process promise to solve these challenges. But is passwordless authentication safe?
In order to answer this question fully, we review some terminology and background.
This seems like a straightforward question, but as with so many topics, the answer depends on who you ask. At its most basic, passwordless authentication is the elimination of passwords from the authentication process. Note the emphasis is on the authentication process, not the login method. There is a significant difference between completely removing the password from the end-to-end login process versus simply automating the process for the sake of convenience; for example, by forwarding credentials from a vault (known as “password store and forward”). While the user experience may appear to be a biometric login method, the backend application is still validating a password.
To complicate things further, not all passwordless authentication is multi-factor. Multi-factor authentication (MFA) reduces risk by requiring users to provide at least two independent authentication factors. Something you know (e.g. password, pattern, security question), something you hold (e.g. cryptographic token, OTP code, out-of-band device), something you are (e.g. fingerprint, facial recognition). MFA prevents attackers from gaining access to a secure system by denying access despite successfully compromising a single credential or authentication factor.
Passwordless authenticators, such as hardware security keys, may require single or multi-factor authentication methods. Depending on the specific protocol, smart keys may require only the presence of the key in a USB slot and a user to touch the key. Therefore smart keys are commonly combined with a password to enforce multi-factor authentication. By requiring a smart key along with a password, the resulting process is no longer passwordless. Therefore, to answer “is passwordless authentication safe” you need to know if the solution in question is single or multi-factor and which authentication methods it uses.
To achieve truly passwordless MFA, the login process must include two or more authentication methods, and it must completely eliminate any dependency on shared secrets.
Done right, implementing passwordless authentication is not disruptive, it is not traumatic to users and it will significantly improve your overall security posture by eliminating the attack vectors associated with shared secrets.
Password-dependent authentication methods expose the entire organization to risk that extends far beyond individual user data. It is commonly accepted that passwords are easily exploitable by attackers, and that people reuse passwords across accounts. As a result, credentials are the primary target of many cyberattacks. These include phishing attacks, key logging and other malware, and social engineering attacks. Removing passwords altogether reduces the overall value to hackers of targeting your employees and customers.
Removing passwords inherently increases the overall productivity of users, so that they are able to focus on contributing to your core business directives. Staff being required to change passwords regularly, frustration with multi-step login procedures, and admins spending time on monitoring password hygiene and frequent password resets has a cumulative impact on productivity. In the 2022 State of Passwordless Security report we found that nearly half of IT and security experts named poor user experience as an obstacle to deploying MFA in their organization. Moving to passwordless authentication eliminates these issues.
One of the most damaging consequences of a data breach comes from attackers gaining access to internal lists of passwords that can then be used in future attacks. Even if an organization uses security protocols such as salting or hashing, modern processing power means that most obfuscated credentials can be cracked easily. Besides the immediate security implications, breaches can lead to long-term loss of trust and confidence in your business.
The large-scale move to work from home over the past two years now appears here to stay. This has created major challenges with securing remote workers, with employees logging into corporate resources from insecure home networks, using unsecured devices and installing unvetted apps. Moreover, remote desk protocol (RDP) attacks are at an all time high. Full-featured passwordless authentication solutions let remote workers securely log in to applications, desktops, VPNs, gateways and other remote access points.
We’ve said it before but it bears repeating — not all passwordless authentication is created equal. The biggest determination in the security of a passwordless authentication solution rests on the verifying factors it uses and its back end processes.
Many passwordless authentication solutions call themselves such but are just concealed passwords dressed up and combined with added steps. Removing the inherent weakness of passwords should mean doing exactly that: getting rid of a shared knowledge factor that a user has to remember and is stored, in some form, on a server or in the cloud to be verified. This misleading nomenclature causes resistance and hesitation that impedes the adoption of passwordless MFA technology and the security improvements that it delivers.
One-time passwords (OTPs) are the codes sent by email or SMS to confirm that the user is in control of the device linked to their account. While intended to fulfill the “something the user owns” factor of MFA, the result is still the use of a password, which cyberattackers, unfortunately, have been very quick and effective at exploiting. SIM-swapping, man-in-the-middle and social engineering attacks have proven highly successful at stealing these OTPs and continuing account compromise efforts. In fact, automated hacking kits designed to bypass these factors are readily available on the black market. There are also many authenticator apps available to generate OTPs on mobile devices. These mechanisms often depend on a shared secret (seed).
While any MFA or passwordless authentication is an improvement over using basic password login, if it relies on shared secrets that hackers can steal, you still face considerable risk. The strongest, lowest-friction passwordless authentication is based on FIDO (Fast IDentity Online) guidelines. FIDO is a set of security and interoperability standards that leverages public key cryptography and robust identity verifiers to ensure security and broad-based usability.
FIDO2 supports biometric as well as other phishing-resistant MFA verifiers, securely authenticating individuals without passwords. It’s considered the gold standard for authentication by the U.S government’s Cybersecurity and Infrastructure Security Agency (CISA) as well as the OMB.
HYPR’s True Passwordless™ MFA technology utilizes the biometric mechanisms and secure hardware elements on a user’s smart device, along with rigorous cryptographic protocols, to turn an ordinary smartphone into a secure FIDO authenticator.
HYPR reduces your attack surface while delivering a seamless, zero-friction authentication flow, from desktop to the cloud, including remote access points. It offers a secure offline access mode using device-stored PINs, where there is no shared secret residing on a server or in the cloud that can be exploited.
Learn more about HYPR, or get a demo to see for yourself.