7 minute read time

The State of Passwordless Authentication

by   in Cybersecurity

As we know from Verizon’s annual DBIR report, by far, the go-to strategy for attacking secured information is through compromised credentials. Without compromised credentials, most attacks can’t get off the ground. It’s in this context that I suggest that strong identity verification is the heart of access security. It’s also noteworthy to observe that breach rates have remained constant despite the billions of dollars spent on security credentials. Although malfeasant attackers continue evolving their approaches in a cat-and-mouse game between bad actors and the organizations they target, not much has changed this past decade. 

Although this approach misses all sorts of breach trends seen throughout this past decade, it does demonstrate how dependent malfeasant outsiders are on hacked credentials to execute their cyber-attack.

2012 DBIR

2022 DBIR

98% of attacks originated from outsiders. The top perpetrators were organized crime and activists.

95% of attacks originate from outsiders, but a third of them came through infrastructure shared with a partner. These were most common where the target organization was well fortified, but their partners were not. 

81% of breaches involved hacking, 69% malware. This stat represents the use of various specialized tools intent on stealing records. These tools largely depend on successfully compromising authentication.

76% of breaches depend on hacking, with 40% of them involving malware. A notable change is that 12% of the malware is used within a partner’s infrastructure as the approach to compromise the target.

In both reports, the predominant phishing approach is to gain access to credentials or to introduce malware that can deliver a backdoor through open session.

Passwords Getting Long in the Tooth

According to Techradar, the average internet user has over a hundred sets of credentials that they keep track of. When you think of all the types of eCommerce and cloud services that people commonly consume, I wonder if that is actually low? I personally consume maintain over seven times that. While I have places where I make frequent purchases, I also have a significant set of sites where I make periodic ones. I have a set of cloud services that I use as a professional and another set that I use in my personal life, not to mention the various media types and sources that I also consume. It’s not that hard to find yourself with a mountain of credentials, all of which breed bad behavior, such as :

  • Using credentials that are easy to remember, like notable others, which are easier to crack – 30% of internet users have admitted to experiencing a breach from a guessable password (password statistics).
  • Sharing credentials with others who may need access to a service – 43% of US adults have shared a password with someone (Google, Harris Poll).
  • Sharing credentials across platforms, including work – 2/3 have admitted to using a personal password for work with 13% using the same password on every platform Google, Harris Poll).

So, while the organizations are faced with managing increased risk from sourcing their services across public clouds, they have the added complexity of accounting for those services being consumed by remote users. The same users are also interacting with a breadth of eCommerce and cloud services, introducing all sorts of bad credential habits crossing into the organization.     

State of Passwordless

While the use of passwordless technology today is by far applied to two-factor and multifactor scenarios, organizations are increasingly seeing value in adding it to single-factor scenarios as well. These scenarios are situations where business owners want a higher level of security than what passwords can provide, but also want to avoid imposing more friction by requiring another factor. Users of passwordless authentication no longer need to devise their favorite mental tricks to keep track of their different credentials. For me, while I try to use my browser's password manager as much as possible, there are occasions when it's missing the site's credential and I have to sort through my credential file to retrieve it. If I'm using someone else's device, I'm pretty much dead in the water. So while single-factor, passwordless authentication is more secure than passwords, for all the reasons discussed in the previous section, it removes the impetus for bad credential behavior.

You will encounter few things in life as durable as passwords. Despite 30 years of visionaries forecasting its demise, the fact that passwords are cheap and easy to implement ensures their continued use. But there is an identity verification choice that fits between simple passwords and multifactor authentication, and that's single-factor passwordless. And unlike most multifactor implementations, it removes the need for the user to remember a password. This advantage is the reason that single-factor passwordless is picking up steam and gaining real traction.

My first use of single-factor authentication was clear back in 2015 with Yahoo, who, just a year earlier, had suffered the largest breach in history. It would be another year before Yahoo disclosed their breach as part of their sale to Verizon, which would cost them almost $1B in valuation. But the account key option that Yahoo introduced shortly after the breach was slick. It just requires your smartphone. Yahoo had long provided an option for 2FA, but now they offered a third variation. In the previous few years, I had been a victim where one of my online services was compromised. Since I shared credentials, other platforms were affected at the same time. Invariably, these service companies don't announce that they've been hacked until longer after it's useful to their customers.

A few years ago, Microsoft added a third option to authentication (security key), just like Yahoo's. Since my passwordless experience with Yahoo went so well, I immediately configured my Microsoft account to be passwordless (not 2FA) passwordless as well. Passwordless can't be phished or socially engineered. My resistance to MFA for these services is that you still need to remember your traditional credentials and the hassle of going through an extra step. I'm also using both Google's and eBay's security keys as single-factor authentication. I'm sure there are a lot of other large cloud service vendors offering the same.

While large service vendors have recently given passwordless authentication a big boost, it's FIDO 2 that is taking it to the next level of adoption. FIDO 2 is a product of the FIDO Alliance, which enjoys broad participation from an ecosystem of large and small vendors. NetIQ (Authasas at the time) Advanced Authentication was one of the earliest solutions to adopt FIDO support back in 2014. FIDO interfaces are available that support both smartphone and physical security key adoption. FIDO provides the critical mass needed to create a sustainable application and device manufacturer's market. Physical security keys range from simple USB devices that require a touch to confirm authentication to ones with built-in fingerprint readers (technically 2FA but just as simple as single-factor). The FIDO-based passwordless authentication grew to a $1.7B market this past year, and adoption is forecasted at 18% CAGR through 2028.

After eight years of use, I prefer smartphone-based security keys. As someone predisposed to losing things, having one less item to keep track of is a gift. While it's true that many people add their FIDO security key to their key ring (not to be confused with Apple's Keychain), I don't keep mine close by all the time, and they're too bulky. And rather than having "yet another" thing to keep with me, my is something that I already keep close. After experiencing the ease and security of passwordless authentication, I always keep an eye out for opportunities to move away from traditional credentials.

Incorporating Passwordless into Your Organization

This past decade we’ve seen government mandates drive the multifactor adoption.  As various departments deploy their multifactor solutions, too often organizations find themselves with a bunch of siloed implementations. These siloes raise your administration overhead and introduce uneven authentication policies across your environment. So, whether you’re using passwordless technologies to deliver multifactor authentication or are moving away from traditional credentials to a passwordless environment, at some point it will be clear that you need a central point of integration and administration. It’s these situations where NetIQ Advanced Authentication’s framework shine. The framework provides a standards-based approach focused on being the integration point for virtually any authentication type or devices that you want to use, as well as any service that you want to protect.

Check out Richard Cabana’s Advanced Authentication’s demo as well as its playlist found on the NetIQ Unplugged channel.

Labels:

Identity & Access Mgmt