The September 2023 hacking of MGM Resorts International by Scattered Spider, a relatively nascent hacking group operating out of the United States and UK, brought into sharp focus the risks of identity theft and credential harvesting from social engineering tactics deployed by threat actors. Using stolen credentials and brute phishing attacks, the group gained access to the victim’s servers. The attack crippled the casino giant, causing them a loss estimated at USD 80 million (1) due to a shutdown in operations, spanning 10 days. In a parallel incident, the group also perpetrated an attack on Caesars Entertainment, which paid a ransom of USD 15 million to retrieve data and avoid a shutdown. a
The incidents caused alarm bells to ring once again in cyber security circles, emphasizing the need to critically evaluate Identity Access Management (IAM) (8) systems in the context of replacing conventional authentication systems with identity-based passwordless systems and identity verification, that will augment protection for all users.
Passwords under fire
Once the industry standard for security, passwords have been coming under increasing scrutiny over the past few years. Verizon’s 2023 Data Breach Investigations Report (2) attributes half of all data breaches to stolen credentials, with 74% of breaches involving a human element. Forrester researchers (3) put the cost of resetting a single password at $70, with the average large enterprise incurring over $1 million annually for password-related support costs.
Passwords suffer from some inherent disadvantages, which include:
- Weak passwords assigned by users, very often made up of family dates of birth and the kind, are easy pickings for scamsters
- Multiple passwords required to be maintained/changed by users, often result in them finding it difficult to keep track of them and ending up frustrated
- Tendency of users to indiscriminately share passwords
- Poor password maintenance practices including storing passwords on computers, pieces of paper, electronic files, or the cloud resulting in tailgating attacks (9)
- High possibility of even password managers being compromised
Bad actors are ruthlessly exploiting these inherent weaknesses by successfully perpetrating credential-based hacks and account takeovers (ATO).
Experts believe that the writing is on the wall for passwords, calling for the IAM industry and organizations to implement passwordless authentication to safeguard against data hacks.
The advent of passwordless authentication
Taking cognizance of the weaknesses inherent in password authentication systems, a Fast Identity Online (FIDO) industry alliance involving tech giants Apple, Google and Microsoft paved the way for passwordless sign-ins. Microsoft introduced its Exchange platform that aimed at eliminating basic authentication, Apple presented its FaceID feature involving facial recognition, and Google and Amazon made the transition to passwordless logins.
The National Institute of Standards (NIST) identity proofing 800-63-3 guideline (Identity Assurance Levels (IAL) 1, 2 and 3 that mandates that users requesting access to federal systems must provide proof that they are the owner of the identity they are claiming as their own, served to bolster the case for passwordless sign-ins.
How passwordless logins work
Typically, passwordless logins work by using a ‘passkey’ – an encrypted two-key system that is initiated by a user’s ‘registered’ device at the point of the user accessing an application or website. Invariably, biometrics is used by the device to identify the user. As the device identifies the user via his unique ‘private key’, the user’s ‘public key’ stored by the website or application on remote servers is activated. The two keys combine seamlessly to confirm the identity of the user and grant access. In the event the two keys do not match, access is denied to the user. Experts say this type of identification is presently nearly impossible to hack.
Passwordless logins are usually facilitated via:
- Biometric authentication using the user’s device to identify traits such as ‘what you are’ and ‘what you possess’ instead of a password. Touch ID using fingerprints are most commonly used, with access being granted when they match the ones registered with the device earlier at the time of setup
- Magic links that take the form of an email address that is requested at the time of logging in, with users receiving an email with a link to access their account. Magic links come with a short time span but are generally frowned upon due to the time involved in accessing, deliverability issues involving the email, and the possibility of the email being categorized and stored as spam
- One-time passwords (OTP) that are received by the user via email or an SMS text message. Widely used, OTPs like Magic Links also suffer from time constraints and deliverability issues, and the added challenge of the user using the most current OTP as a consequence of several OTPs being generated due to repeated login attempts
- Push Notifications received by the user via a previously installed application of the vendor on the user’s device. Also widely used, this method of passwordless sign-in suffers from the mandatory requirement of installing the vendor’s app on the device, something that can cause a space constraint with a number of apps having to be installed for various purposes by the user on the device
How passwordless helps
Passwordless sign-ins overcome many of the problems posed by conventional passwords. Implementing them can therefore prove to be a boon to organizations, vendors, and the general public alike. Some of these benefits
- Protection against phishing and social engineering attacks
- Elimination of password fatigue (4), lost passwords, and the need to maintain, frequently change and remember numerous passwords
- Better user experience as a consequence of seamless logins
- Cost effectiveness due to elimination of data breaches due to data and identity theft, and spending on resetting lost or compromised passwords
- Improved productivity and lowered frustration levels of employees due to them no longer being required to maintain complex passwords, frequently change and remember them
Implementing passwordless authentication
Gartner (5) recommends that organizations prioritize assessing and implementing passwordless authentication methods by replacing legacy passwords as the sole authentication factor either by using a robust two-factor authentication (2FA) or by replacing legacy passwords as one of the two authentication factors in a 2FA system. It cites the case of biometric authentication such as touch ID that is being successfully deployed in mobile banking apps.
Biometrics however are not the only way forward. Other options available include OTPs, tokens and push notifications. Organizations, however, will need to consider which method of authentication will be best suited for its customers and the task involved. User experience, customer confidence, the implementing vendors’ level of competence, and the cost of moving to passwordless from a single-factor authentication process are also touchpoints for an organization embarking on passwordless authentication.
The challenges involved
Implementing passwordless, however, can take some doing. Here are some of the challenges that organizations will face:
- Integration with legacy infrastructure is seen as a major hurdle, due to a lack of compatibility of password-driven systems with passwordless systems. Specialist vendors have been known to struggle with the complexity of integration
- Minimal or next-to-nil cross-functional compatibility between authentication systems poses another problem. A typical case is the incompatibility of cloud service providers like Microsoft, Google and AWS whose authentication systems work only in their own environment
- Considerable implementation time ranging from 6 months to a year, if not more, is needed
- High costs of implementation are likely, considering many aspects like recoding of apps, on-boarding of vendors, training, cyber insurance etc
- Lack of internal resources and resistance to implement or oversee the transition to passwordless is a major concern for organizations embarking on their passwordless journey. A study (6) showed that 48% of organizations lack passwordless authentication, while as high as 67% admitted they lacked the resources to implement
- MFA can prove a problem in the opinion of many experts, who say passwordless authentication methods like OTP, email and push notifications are not phishing-proof (7). They cite the case of MFA account recovery as being another grey are
Negotiating the challenges
The fragmented state of the password scenario can prove a handful for organizations. Modern cloud applications which are generally flexible are hard to integrate with legacy authentication architecture. Individual platforms too lack flexibility when it comes to a variety of MFA options outside their realm. Organizations will need to weigh the pros and cons of staying with or moving on from a Single Sign-On (SSO) to a MFA/passwordless system. Once decided, they will be required to carry out intensive cost-benefit analysis, and thorough vendor evaluation including their pricing proposals. One cat that they will need to bell, if they are to move to a zero trust environment via passwordless authentication is the recoding of their applications, if they wish to work with legacy architectures in the new cloud environments.
With Social Engineering attacks on the increase, it is increasingly evident that the time is right to ditch passwords and comprehensively implement passwordless authentication. Convinced that the future is passwordless, major tech players like Google, Apple, and Microsoft are doing away with passwords altogether. NIST’s 800-63-3 IAL 1 through 3 guidelines are playing a key role too in facilitating the transition process. Consulting and strategic insights firm Gartner has predicted that by 2025 more than 50% of the workforce and more than 20% of customer authentication transactions will be passwordless.
Businesses will need to align with this future. Those who have already implemented passwordless or have embarked on their journey are almost certain to reap benefits in terms of their business fortunes, customer confidence, and employee engagement. Those that do not, run the risk of compromising their security and endangering their very existence, losing customer confidence and revenue, and seriously impacting employee productivity and engagement.
Situations ominous enough for them to sit up and act, surely!
Get in touch with email@example.com or call (888) 282-0696 to experience the unmatched protection that Aurora, a proud member of the Plurilock family, delivers through these groundbreaking solutions.