Going passwordless: Future-proofing your digital identity
By Dr. Mohamed Lazzouni
This article first appeared on Security Magazine.
In early 2021, a list of leaked passwords was found on a popular hacker forum. Dubbed RockYou2021, the list contained 8.4 billion passwords, a shockingly high number considering it is almost double that of the total number of active internet users around the globe1. To put the significance of this into further context, the Chief Executive Officer of Colonial Pipeline testified this June that the massive cyberattack that took place against the company was caused by the theft of one single password2. Since the company’s system did not have a multifactor authentication solution in place, the hackers were able to access the company’s critical assets using the password alone, paralyzing transportation across the United States’ eastern seaboard.
The publication of the compromised password list combined with the Colonial Pipeline attack brings to light the increasing and troubling issues regarding the impact of cyberattacks on people and critical infrastructure. It also suggests that passwords alone are not sufficiently reliable to secure authentication. Hackers and malicious actors have become highly effective at stealing passwords, with phishing and social engineering attacks on the rise globally. These trends are increasingly making it clear that passwords need to be strengthened by other methods.
In this article we will delve further into the many risks to today’s digital identity solutions beyond those described above. We will also review the benefits of alternatives to passwordless authentication solutions using biometrics, and ultimately where the future of identity security could be heading long-term.
The Recurring Risks of Passwords
Passwords are critical to the security of managing access and use of a variety of vital services. They are equally critical for personal and business users. But with passwords come a number of risks and challenges that are becoming increasingly problematic and impactful.
Security:
As evidenced by the RockYou2021 discovery, passwords can be guessed, stolen or compromised. Hackers could be in possession of your passwords without any evidence of their theft, opening the door for future attacks. Solutions such as two-factor authentication methods that prompt a text message or email to a trusted phone number or address are helpful in providing additional security. However, many authentication workflows are not taking advantage of multi-factor authentication and do not provide such added security to protect consumers and businesses.
Can be Stolen:
The RockYou2021 list contained over 8 billion passwords, demonstrating that hackers are getting increasingly effective at obtaining secure, confidential and privileged information illegally. More password lists undoubtedly exist. Social engineering, phishing, datamining, malware, and several other methods are used to illegally obtain passwords and use them to commit other crimes.
Increased Friction:
Methods used to strengthen passwords have become increasingly frustrating to use and remember. With so many applications requiring a variety of authentication protocols, users are subjected to different requirements which seem to be in constant flux.
Inefficient and Costly:
Password rests are known to be a costly proposition for businesses and a frustrating experience for end users.
Exploring Alternatives: Passwordless Authentication
What is passwordless authentication? Passwordless authentication describes a variety of methods used to verify and authenticate without relying on passwords.
Authentication requirements based on items or factors the user uniquely possesses could come in the form of a uniquely registered mobile device, a hardware token, or a one-time password generator. In each of these cases, the user has a unique device or authentication tool that provides access.
Another passwordless authentication method involves factors that the user uniquely knows. This method most often comes in the form of security questions that only a user should know the answer to. While convenient for users, this method is reliant on the user being the only one to know the answers to be successful.
A third method for passwordless authentication involves factors that a user uniquely is. This method most often comes in the form of biometric technology, which use the unique features people have to grant access. These features can include face and voice recognition, fingerprint readings and retinal scans.
The Advantages of Biometric Authentication
Biometric authentication is ideal for providers looking to future proof their authentication methods. Biometric technologies are enabled by capabilities available on mobile devices. Fingerprint readers, cameras and microphones in today’s smartphones and mobile devices, equipped with software can perform highly secure face and voice recognition. Therefore, users can access their accounts from their personal devices, bypassing the need for passwords, hardware tokens and security questions.
Biometric authentication provides the following distinct advantages:
Increased Security:
Biometrics are inherently secure passwordless authentication methods. This is because they use something a person is, instead of something a person has or knows. Biometrics also commonly feature liveness detection, which determines whether a user is a real person, and not an impostor trying to gain access with a photo, video, or mask. All combined, biometric technology makes it much more difficult for would-be attackers to bypass security measures and gain access to the system fraudulently.
Improved User Experience:
Biometric technology also provides a more convenient, frictionless user experience for users. Biometric authentication takes place in seconds, with just a selfie or voice prompt via a user’s personal mobile device. Biometrics also eliminate the need for remembering passwords or retaining unique hardware tokens, streamlining the authentication process overall.
Lower Cost:
With no need for password resets, providers can devote their resources to other matters more critical to the business. Software engineers no longer have to develop and maintain the workflows needed to provide password-based authentication, and call centers can be staffed to handle more important customer inquiries not pertaining to passwords and account access.
Organizations managing identity credentials should consider passwordless methods to protect themselves, their consumers and their assets and infrastructure. Situations such as the Colonial Pipeline attack can be avoided using a variety of secure processes and solutions. With increased security, improved convenience for users, and a lower cost overall for providers, biometric technology is a strong candidate for passwordless authentication.
Dr. Mohamed Lazzouni has been Aware’s Chief Technology Officer since November 2019, and currently serves as a board member of Epochal Technologies, Inc., a provider of demographic data solutions. Prior to joining Aware, Dr. Lazzouni served as President and CEO of Epochal Technologies, Inc. from August 2018 to November 2019; President of the Anti-Counterfeiting Business and Chief Operating Officer at Authentix, Inc., a provider of authentication solutions, from 2013 to 2018; Chief Technology Officer and Senior Vice President of MorphoTrust USA, LLC, a provider of identity assurance solutions, from 2006 to 2013; and as Chief Technology Officer and Senior Vice President of Viisage Technology, Inc., a provider of identity verification technology, from 2001 to 2006. Dr. Lazzouni received his Ph.D. in Physics from the University of Oxford, his Master’s degree in Physics from the University of London, and his Bachelor of Science degree in Physics from Badji Mokhtar University, Annaba (UBMA).