Passwords. The very mention of the word is enough to make most people utter obscenities. For years, we've heard promises that passwords are going to go away soon. Consumers and businesses hate them, they're the butt of jokes, and they result in billions of dollars in losses annually. Yet somehow they persist.
Finally, however, we're reaching an inflection point that may spell doom for passwords and the myriad headaches they create. Advances in biometrics, multifactor authentication (MFA), and tokenization, along with the rise of the FIDO Alliance, are tipping the scales.
"We're starting to make some real progress on eliminating passwords, but there is still a lot of work to do," states Sean Ryan, a senior analyst at Forrester Research. In fact, 70% of organizations today still rely on a password-centric authentication approach, he notes.
Thursday is World Password Day, so what better time to explore the evolving state of passwords — and emerging passwordless systems. The Edge spoke to leading experts and discussed what individuals and organizations can do to move forward — and what a passwordless future looks like. In this article, the first of a two-part series on the topic, we look at how organizations can navigate passwords and what a best practice security framework looks like.
Living With Passwords
Few things are as frustrating for consumers and organizations as dealing with passwords. Remarkably, 60% of IT service desk interactions are related to password resets, according to a frequently cited Gartner statistic. People forget them, people reveal them, and people can't even keep track of the new password they just created.
"It is completely impossible for humans to manage the space effectively," observes Alex Simons, corporate vice president for program management in Microsoft's Identity Division.
Indeed, the average employee manages nearly 200 credentials, according to enterprise password management company LastPass. The irony, Simons says, is that most passwords meet system requirements for security and complexity, yet they are incredibly easy for hackers to crack because they are based on simple phrases like the month and year.
"People use highly obvious patterns," he says. "We've made it really hard for ordinary humans and really easy for hackers in this world of usernames and passwords. So we've got to find a way out of that."
Despite the advent of single sign-on (SSO), biometric authentication, and a spate of more advanced tools and technologies, many organizations remain chained to password hell. For one thing, legacy hardware systems and applications often require passwords, and in the case of mainframes, it's often an eight-digit character password.
"There is still a lot of valuable data protected only by an eight-character or 12-character password," says Joe Nocera, leader of PwC's Cyber and Privacy Innovation Institute.
For another, until recently, there wasn't any practical way to eliminate passwords from websites, apps, and Internet of Things (IoT) devices. Transmitting a username and password over the Internet was the way it was done. Then crooks figured out that stealing passwords and hacking databases and grabbing clear text or hashed passwords was a lucrative business that allowed them to engage in everything from identity theft to planting ransomware. Today, an eight-character password can be cracked in as little as two-and-a-half hours.
MFA Is Critical
In many respects, passwords are digital skeleton keys in the digital age.
"Passwords were designed as a means to provide secure access to data sitting on a server, but the password also sits on the server," says Andrew Shikiar, executive director and CMO for the FIDO Alliance (Fast Identity Online), a consortium of more than 250 business heavyweights working to advance passwordless solutions. "The problem with that is that anything on a server can and will be stolen, and we see it time and time again."
Remarkably, 80% of breaches are tied to passwords, according to the "2020 Verizon Data Breach Report." With success rates on phishing attacks reaching 50% and help-desk costs running at $70 or more per incident, per Forrester, organizations must begin to rethink the deeply flawed concept that stronger passwords alone will solve the problem.
In addition, despite consumers abandoning one-third of their online purchases due to forgotten passwords and the need for a reset, an Experian survey found about 75% of companies still fear inconveniencing customers by introducing MFA, which requires users to verify their identities in multiple ways in order to access an application.
Yet getting to passwordless isn't a direct route. As organizations begin to plan and implement a passwordless future, MFA with passwords has a central role. Text codes, rolling codes on apps such as Microsoft Authenticator or Google Authenticator, or token-based popup authorizations in an app or on a wearable, such as Apple Watch, can reduce successful attacks by upward of 99%. It's also possible to add MFA to legacy hardware and software that didn't initially support it.
Simons' advice? "Turn on MFA everywhere, because now you've gotten yourself out of the main risk pattern," he says.
A good transitional step on the path to eliminating passwords, PwC's Nocera says, is using a PIN or token that stays on a local device. That way, the password, even if it's compromised, doesn't provide entry to an account.
"It's possible to use a soft or hard token or even a challenge-response tool, to know that the person is who they say they are," he says.
This capability can be combined with behavioral analytics, such as geolocation data or anomaly detection, to ratchet up the level of identity data required.
"You just don't want the password to be the only key to the kingdom," Nocera adds.
Smartphones and wearables that use face ID or touch biometrics to authenticate a user don't always replace the password, but they can mask passwords and reduce the need for password resets. Also, Simons says, because the phone stores identity data locally in a Trusted Processor Module (TPM) — a secure crypto-processor that virtually all modern PCs and smartphones have — biometrics and other sensitive machine data, including encryption keys, cannot be accessed from outside and the data never leaves the machine.
This means that even without a passwordless system, it's possible to obtain cryptographically signed proof that a person is who they say they are. If the passwords match up on both ends and the secondary authenticator stored in the TPM of the user's device checks out, the user signs in with a private key. At this point, the security risks drop substantially, and users have a more seamless way to log into accounts.
Other advanced MFA tools include security key devices that use the FIDO U2F or FIDO2 protocols and connect via USB, Bluetooth Low Energy (BLE), or near-field communications (NFC). Some examples of these include the YubiKey, RSA SecureID Access, and Google's Titan security keys. Whereas it's possible for a person to go a spoofed website and actually log in using credentials and some forms of multifactor authentication, a hardware token won't work at a fake site. Although these devices can be a bit challenging to set up, they're generally easier to use for authentication than a phone or watch.
The Path to Passwordless
The end goal, of course, is to eliminate the use of passwords altogether. While newer software and systems increasingly support passwordless frameworks — the list includes sites such as eBay, Microsoft Windows Hello for Business, and Azure, and various components built into iPhones, Apple Watches and various Android devices — the transition has begun in earnest.
Driving this migration is FIDO2, which relies on a set of specifications that standardize authentication in both mobile and desktop environments. This includes WebAuthn and CTAP, which deliver protocols and APIs for web infrastructure, including browsers. FIDO2 delivers a framework that allows sensitive login information to remain in a device's TPM, thus eliminating phishing risks and introducing cryptographic keys that cannot be tracked across sites. Virtually all major tech and financial companies, including Apple, Google, Microsoft, and Amazon, have joined the alliance.
"FIDO2 technology is enabling the transition to passwordless," says Forrester's Ryan. "After years of promises, it's finally making the concept real. We may continue to see passwords in one form or another for many years — there is infrastructure, systems, and applications where it's simply impossible to go passwordless — but organizations can begin implementing passwordless systems today."
Part II: What a passwordless world looks like and how organizations can transition to a passwordless framework.