TTI | Network Security Insights

The Future of Cybersecurity: Passwordless Authentication

Written by Tony Ridzyowski | Dec 28, 2021 5:46:00 PM

Passwords are inherently vulnerable. That’s why some organizations are taking a new approach to securing their accounts and devices: passwordless authentication. 

Increasing password security has been a top priority for years. In the past, the primary way of addressing concerns about password security has been to push organizations to make their passwords as strong as possible. Though following password best practices is an important step, the truth is that there will always be security risks tied to password use. Humans are lazy by nature and making and remembering individual passwords for each of our accounts is a greater challenge than many people are willing to face.

That’s where passwordless authentication comes in. By taking long-term passwords out of the picture altogether, passwordless authentication reduces the burden on individuals to create and memorize passwords while also reducing the opportunities for hackers to get into an account in the first place. Learn more about what passwordless authentication looks like and why it might be the future of cybersecurity.

 

The Problem with Passwords

Anyone who has been forced to come up with countless passwords for their accounts is probably pretty familiar with the problems associated with these jumbles of letters, numbers, and symbols. By now it should come as no surprise that the biggest issue is the continued use of simple passwords. We’ve heard for years that we need to make more complex passwords to keep hackers out, yet a recent report that looked at the passwords of Fortune 500 companies found that “password” is still the most used password across industries. Other top contenders include “12345,” “Hello123,” and “sunshine.” 

In case anyone needs a reminder of just how costly a weak password can be, remember that the now-infamous SolarWinds hack might have been triggered (at least in part) by someone using the password “solarwinds123” to protect a secure server. 

All this serves as a good reminder that just because we know about the dangers of passwords, that doesn’t mean that we — as individuals or companies — will take the necessary steps to address those dangers. From using simple passwords, to reusing passwords (including compromised passwords) across sites, to storing passwords in clear text files, there are a lot of bad practices that make password-protected accounts vulnerable to attack. As long as passwords continue to be used, these bad practices will continue as well. 

 

Looking to the Future: Passwordless Authentication

Given all the challenges that accompany using passwords, it’s no surprise that cybersecurity experts are looking for new ways to secure accounts while avoiding passwords altogether. Their latest solution? Passwordless authentication.

Passwordless authentication is defined as any method of verifying a user’s identity that doesn’t require that the user comes up with a password. Instead of invented passwords, passwordless authentication relies on alternative authentication factors that are inherently safer because they rely on some distinctive characteristic of the user. It can involve jumbles of numbers and letters just like a regular password, but the difference is that these jumbles are never memorized or reused.

Types of passwordless authentication include: 

  • Possession factors: This relies on using something a user owns or carriers in order to verify their identity and let them login. Common possession factors include hardware tokens, one time passwords (OTPs) that are received via text or email, or a code generated by an authenticator app.
  • Biometrics: This method of passwordless authentication is becoming increasingly common in our daily lives with more and more devices relying on identification factors like fingerprints and face scans to unlock devices. In addition to these, other common biometrics include retina scans and behavioral traits, like typing and touch screen dynamics. Although some hackers have found ways to spoof some physical traits, behavioral traits remain very difficult to fake.
  • Magic links: A magic link is a one-time link that grants access to an account. When a user needs access, they simply enter the right email address and the system sends them an email with a magic link. When they click on it, they will get access to the account.

Obviously, just because something is more secure, that doesn’t mean it will be implemented right away. There are some significant challenges when it comes to passwordless authentication that are slowing the rate of adoption. The biggest issue is the cost and migration complexity that comes with switching to passwordless. 

Another challenge that should not be overlooked is the difficulty of overcoming old-school mentalities. IT leaders and employees alike are often reluctant to move away from traditional security methods and try brand new ones — especially when some of those methods may seem like they take more steps than the passwords they know and love. 

 

The Benefits of Passwordless Authentication

Despite these challenges, industry leaders still see passwordless authentication as the future thanks to the many benefits it offers. The biggest benefits are: 

  • Stronger security: Lost, stolen, and cracked passwords have been a major vulnerability for as long as passwords have been in use. By removing passwords and replacing them with other authentication measures, you automatically strengthen your security posture and make it much more difficult (and expensive) for bad actors to succeed.
  • Greater productivity: With fewer passwords in use comes an additional advantage you may not have considered: fewer password resets. With passwordless authentication that offers easier, more secure access to accounts, companies can achieve significantly less downtime caused by forgotten passwords that need to be reset. That translates directly into increased productivity.
  • Lower costs: One of the most common requests facing help desks is password resets. When you eliminate passwords, you also eliminate password reset requests and their associated costs, leaving your help desk free to focus on the tasks that really require their energy and attention. Even within the world of passwordless authentication, there are opportunities to reduce costs, like by replacing your hardware tokens and smartcards with more cost-effective push notifications and biometrics.

 

The Future is Bright — Stay Cybersecure While You Wait

It’s unclear if and when passwordless authentication will become the norm. Until then, it’s important that organizations take steps to ensure they stay secure in the face of a seemingly unending stream of bad actors. In addition to encouraging password best practices like using unique, complex passwords for each account and changing passwords regularly, it’s also important that you implement proper cybersecurity measures beyond that. After all, it doesn’t matter what authentication measures you take, bad actors will always find new ways to get around them. 

The best way to stay ahead of bad actors is by working with a cybersecurity partner that can ensure you have the strongest security posture possible. At Turn-key Technologies, Inc. (TTI) our cybersecurity experts are ready to serve as that partner. With over 30 years of industry experience keeping organizations cybersecure, the team at TTI is ready to help you keep bad actors out, no matter whether you’re using passwords or going passwordless. Contact us today to learn how we can help you stay cybersecure.