A world without passwords – is it closer than we think?
In this time of increased homeworking, we’re constantly using passwords – whether it’s to set up a conference call, log into business applications or share information. But does this need to be the case? Could we work securely without passwords? Let’s first look at passwords and their vulnerabilities before considering the options for a future without them.
A password is something to be remembered and used by one person to enable secure access to a computer, website, application or another part of a network. To be secure, it should combine a random collection of upper and lowercase letters, numbers and punctuation marks. And there lies the problem. A secure password is time consuming to create and difficult to remember. Especially when we use so many of them. As a result, unique, secure passwords are used far too little, which can create widespread risk.
“Several studies have now shown that we already have a password for 150 different accounts on average. Which are often too easy and reused for different platforms. Getting hold of one password once creates a domino of access to several websites.” Gartner.
What problems do companies face when dealing with passwords?
Managing passwords, granting access based on them and ensuring employees are aware of security issues is a complex matter. And it creates lots of problems for IT departments, including many unnecessary support calls.
If employees forget a password, they, understandably, want a new one as soon as possible so they can carry on with their work. They’re not, therefore, usually open to being advised by IT colleagues about security risks. It means IT departments often spend an inordinate amount of time and money solving preventable password problems.
“Stronger passwords are more likely to be forgotten by users and lead to more password resets.” University College London.
There are also many external threats when it comes to passwords. Spear phishing, for example, is when usernames and passwords are stolen. And a brute force attack is where a password, which is often used across multiple applications, is guessed. It’s a worrying fact that personal account details, including passwords, are offered for sale on the darkweb in their millions.
The question isn’t whether you’ll become a victim of password crime, but when. You can actually see whether your private or work email address has already been compromised at Have I Been Pwnd.
It’s all a serious headache for security managers, especially during this period of high levels of working from home.
What can we do to make the use of passwords more secure?
In recent years, increasingly more efforts have been made to use two-factor or even multifactor authentication, which was introduced to overcome security problems relating to passwords. Both methods ensure a person’s identity is verified not only by something they know (the password), but also by something they have (such as a data carrier or token). It means that if a password’s been compromised, attackers have another obstacle to pass before gaining access.
Even if multifactor authentication is used, however, passwords can still create a weak link without proper management and supervision. Which is why it’s important to:
- Store and rotate login details in a digital password vault.
- Prevent employees reusing passwords.
- Carefully manage access rights for the administrators responsible for handling employee passwords.
What’s the optimal solution?
The best option is to stop using passwords – at least for end users. Because if someone isn’t exposed to a password, it can’t be stolen from them. As endpoints are among the most difficult systems to secure fully, this is a good strategy.
The alternative is to use two-factor or multifactor authentication, with none of the factors being a password. One of the strongest approaches, according to eIDAS legislation, is to use a token plus a digital certificate. It’s important not to use one-time password tokens though, as recent attacks on these have shown they can be easily intercepted.
This approach means personal user passwords are protected by password-less methods and people never have to create or remember their passwords again. This type of protection is becoming increasingly popular, with digital certificates being held on carriers such as USB sticks, cards or other devices. And it’s an approach that’s compliant with a range of legislation and international developments, such as eIDAS, GDPR and FIDO.
When people use two-factor or multifactor authentication instead of passwords, it means IT and security teams can be sure that:
- User access is secure and there are no reused or shared passwords in circulation.
- Attackers can’t phish for users’ passwords.
- User authentication details are never stored in the system, as passwords are. So even someone with access to the system can’t figure out the credentials.
It all adds up to make password-less solutions an important security advantage.
Password-less security is already available
Such solutions, that enable secure authentication and the management of digital certificates on data carriers, are already available. And they’re widely used to protect critical systems. Also available are the systems to register, validate, manage and revoke authentication certificates and tokens. So a world without passwords is definitely within reach.
Jordan van den Akker, Business Security Consultant at AET Europe.