By Nic Sarginson, Sr. Solutions Engineer for UKI and RSA at Yubico.
For the majority of consumers and businesses, passwords remain a necessary evil for accessing accounts and data. However, passwords have a problem: while technology has continued to develop, change and adapt, the humble username and password combination has stayed the same, and has been proven to be woefully inadequate when it comes to both security and usability.
Thankfully, it’s likely that the days of using passwords are numbered. After all, they are inherently weak, sharable and easy to guess (for example ‘123456’ is the most common password according to a review by the UK’s National Cyber Security Centre). Passwords can also be simply plucked from databases of stolen information following data breaches.
Companies can partially mitigate these weaknesses by enforcing more complex passwords consisting of a minimum length with numbers and special characters, but password security is largely reliant on the user and human error can quickly undermine security. An employee can have a technically strong password but then go on holiday and pass this on to a colleague to enable access to their work while they’re away. This is a surprisingly common occurrence – in our latest research, 51 per cent of individual users and even 44 percent of IT professionals admitted to sharing passwords with their colleagues in the workplace.
Even if an employer puts barriers in to protect against these issues, if they suffer a data breach and their employees’ passwords are shared online, they are still vulnerable. After a large-scale breach it can be expected that a company would reset passwords and overhaul their security. However, when it comes to smaller attacks, this might not happen. Only 56 per cent of respondents surveyed by the Ponemon Institute for our 2020 State of Password and Authentication Security Behaviours Report who had experienced a phishing attack, credential theft or man-in-the-middle attack (MitM) said their organisation had changed how passwords or protected corporate accounts were managed since.
A common first step for improving digital security is the implementation of two-factor authentication (2FA) methods. While basic 2FA methods – such as memorable words or SMS One Time Passwords (OTPs) – do improve security beyond a simple username and password, they are susceptible to modern phishing and MitM attacks. In fact, phone-based attacks are becoming increasingly common, with ‘SIM-swap’ fraud now a major factor in facilitating organised attacks on targets’ devices. If OTPs via SMS are to be used, it’s advisable for these to also be backed up by a separate, external authenticator.
Phishing attacks can also be devastatingly effective as all cyber criminals need to rely on for success is simple human error. Spoofed emails are on the rise, with even the savviest of employees capable of being deceived into clicking on malicious links or opening malware-laden attachments. After all, phishing emails purporting to be from a legitimate source can be highly convincing. These attacks are regarded as a major threat by IT security professionals as it only requires one employee to fall victim to them for a perpetrator to harvest legitimate credentials and move laterally across the network.
Additionally, busy mobile employees often make use of public Wi-Fi where available, which can leave them vulnerable to MitM attacks, given that hackers have been known to spoof connections to fake public Wi-Fi networks. In these scenarios, unsuspecting users log on and, in doing so, unknowingly provide a hacker with access to their credentials – unless their connections are encrypted. Attackers are also then able to easily bypass the more basic 2FA authentication methods with ease.
SMS OTPs are also in addition to, rather than instead of, passwords and re-typing codes from one device to another is cumbersome and prone to error. This has proved to be a barrier in the uptake of these methods. As an additional layer of security, 2FA is a basic necessity for all organisations, but it’s important to remember that not all 2FA methods are created equal. The methods discussed above are vulnerable to abuse by cyber adversaries who are increasingly adept at spoofing connections.
As the 2020s get underway, it’s high time we finally move away from the inconvenient and insecure username and password combination and address well-known vulnerabilities with basic 2FA, looking instead to more sophisticated forms for authentication, including biometric technologies.
The security solution
Organisations can boost security and the user experience by reducing reliance on passwords and embracing new standards supported by s biometric technology. Indeed, FIDO2 specifications address all of the issues associated with traditional authentication, enabling users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
For example, WebAuthn, the first global accepted standard for web authentication, was launched in 2019. WebAuthn is a core component of FIDO2, enabling online services to use FIDO Authentication through a standard web API that can be built into browsers and related web platform infrastructure. Co-developed by our experts and approved by the W3C, WebAuthn offers websites, services, and applications, stronger, more user-friendly multi-factor authentication. The standard is based on public key cryptography that eliminates the need for creating and storing passwords in a central location where they are vulnerable to data breaches. What’s more, it offers users a wide range of ways to authenticate including the choice of using an external authenticator such as a hardware security key or a built-in biometric sensor, by embracing broad support for a choice of authentication devices.
In summary, WebAuthn gives organisations multiple options to choose from, which introduces a degree of personalisation and encourages a move away from username/passwords towards more secure, user-friendly security methods. When used in combination with biometric technology – which offers a far more robust method of authentication than basic 2FA, while delivering a seamless experience for users – FIDO2/WebAuthn delivers a far superior level of protection against threats such as MitM and phishing attacks. In fact, Google has stated that it has had no reported or confirmed account takeovers since implementing FIDO certified physical security tokens in early 2017.
The strength of biometric technology is that it relies on unique human biology, a fingerprint or a face, that cannot be easily copied or hacked. Fingerprint technology has become ubiquitous: it is how many people login to their phones, login to apps and authorise mobile payments. Extending this functionality to secure a wider range of devices is a logical continuation of this technology.
Biometric technologies and the options offered by FIDO2 and WebAuthn are the beginning of the end for passwords, which we hope will soon be a thing of the past. By embracing new technologies, including biometric authentication, organisations will benefit from far superior security, while freeing users from the arduous password problem.