Nearly all data breaches start with compromised passwords. Whether it be through sophisticated phishing, brute force attacks, social engineering, or any other kind of credential harvesting, the password is the first, and sometimes only, line of defense against cyberattacks.
When passwords are cracked, the floodgates are opened, and all types of malicious programs and activities can get into an organization’s systems. The password, then, is like sticking your bubble gum over the hole in a dam in order to prevent a torrent of water from rushing through. Obviously, as a method of protecting personal accounts and company databases, username-password combos are far from ideal.
Passwords Are Annoying and Insecure
While the password was once a trusted form of security, that reputation has been waning over the years as its inherent fallibility has been demonstrated again and again. Even during its heyday, username-password combos were an imperfect security strategy – not just for an organization’s databases, but for the end user. With their multitude of online accounts for Amazon, Netflix, PayPal, Uber, two or more online banking accounts, dozens of social media profiles, and multiple work and personal email addresses, the modern internet user is forced to memorize the passwords of up to 92 accounts on average.
Companies large and small should be using two-factor authentication (2FA) by now, not only for the security of their end users, but to protect their internal systems as well. Surprisingly, this is still lacking for even the largest of companies.
Case in point: Uber. In a spectacular breach in not only in user privacy but also of legal protocol, the ride-share giant’s databases were broken into by two hackers who had obtained just one employee password. The password was for Uber’s back-end web services account, and once inside, cybercriminals downloaded the unencrypted records of more than 57 million users and drivers.
In an age where cybercrime has reached pandemic proportions, the fact that Uber – a private company that is worth more than 72% of all firms on the Fortune 500 – was protecting its developer site with nothing more than a username-password combo is mind-boggling.
The Rise of Passwordless Access
For all their faults, passwords are as pervasive as personal computers and cell phones. No one really likes them, but no one is looking to send them the way of the Dodo (or Commodore 64, or Zune), not until now. Recently, Microsoft released its Authenticator App offering, a gateway that allows businesses that use Azure AD-connected apps to connect password-free. The new Authenticator App is part of a plan by Microsoft to move away from passwords altogether. “No company lets enterprises eliminate more passwords than Microsoft,” the company said on its website.
Another tech firm called Yubico earlier this year released a new version of its YubiKey, a USB security key that forgoes the need for passwords altogether.
The two offerings are not unlike the 2FA solution your firm should already have in place. The difference between conventional 2FA and passwordless authentication is that instead of a platform sending the end user a security code to input and verify their identity, the two solutions’ confirmation process replaces the need for a password entirely.
But there are limits to these two approaches to authentication. Microsoft’s Authenticator App is confined to its own ecosystem of products, and in the case of YubiKey – and indeed, Google’s Titan Security Key – the user must carry around a small USB device that is prone to being damaged or lost. Further, this password-killing security key only provides protection on PCs and other devices that have a USB port, leaving mobile security is off the table.
So will we see the password go extinct in our lifetimes? It’s hard to say, but there is definitely a growing trend to move away from the internet’s oldest security strategy, and we can reasonably speculate that fewer and fewer online platforms will require one in the future.
One thing is certain: whether a password is involved or not, a robust security strategy must contain strong multi-factor authentication that is compatible, intuitive, and readily across all channels and devices.
And hopefully, this brave new password-free world won’t mean you’ll have to carry around yet another addition to your keychain.