Spoiler alert: While passwordless authentication is gaining more adoption, it will not be a cure-all. But the reason as to “why” is more nuanced than one may assume.
Our Lives Are (And Will Continue To Be) Digital-First
Look at your password manager – assuming you’re using one. We’d wager you have 100+ account credentials stored. By now we know that passwords are a source of friction in people’s digital experiences and highly susceptible to poor hygiene; as a result, they’ve been a high value target for bad actors – easy to obtain (or guess), at mass scale. The drive to change how we authenticate into personal and workforce applications is solely centered around improving security; protecting our information, our data, our digital footprint, and our overall identity – in both our personal and business lives.
The lives of humans have evolved to be digital-first in how we do the most basic of human tasks – from shopping for groceries and other goods, to banking and finance, to how we work and make a living, to how our society functions as a whole. The dependency on digital applications to function is scaling beyond our individual control – and at times, beyond our security team’s control.
Criminal Innovation Outpaces Evolving Security Technology Adoption
When we’re talking about passwordless authentication, it’s come about for the same reason that any new security innovation arises: (1) to replace antiquated methods that are highly vulnerable to compromise or (2) to augment existing approaches, providing an added layer of protection against compromise. Regardless, people are always slow to not only adopt new technology, but also to understand the full implications of its purpose and how it works within an existing security tech stack.
While enterprises and consumers are all still in the discovery and awareness stages of a technology lifecycle to protect against threats, the criminal underground moves much faster. When profit is at stake, bad actors rapidly develop new technology and tactics, source new entry points, and uncover vulnerabilities that give them access and the ability to compromise accounts – putting people’s identities, corporate data and critical IP at ongoing and continuous risk.
The Desire For Ease And Convenience Is Risky Business
Passwords are a major friction point, and even if we overcome user password hygiene challenges and introduce additional complexity requirements, the sheer volume of login credentials that we all need to manage and keep track of is overwhelming and often comes at the expense of proper password hygiene.
It’s easy to see passwords as the problem, and not human behavior – whether it is:
due to password fatigue that leads to poor choices
syncing passwords across browsers on various devices, which may link personal and work passwords together for a criminal when compromised
where we operate within the expectation of instant gratification in regards to our user experience, with a low level of tolerance for friction
But how do we maintain society’s (and our own) expectations without sacrificing security?
The Journey To Passwordless – A Brief, Rapidly Evolving History
The number of times a massive data breach has been attributed to poor password hygiene remains a recurring issue (we’re looking at you using “password” as a password, not to mention “companyname123” 😒). Passwordless authentication – whether OTPs, biometrics, or passkeys – seems like a logical solution, a promising alternative to not only solve poor password hygiene, but also to provide a way of reducing password fatigue and the overall friction surrounding digital access. We can confidently say that with over 32 billion passwords in the SpyCloud database recaptured from breaches and malware logs traded and sold in the criminal underground, passwords are the most easily obtained credential that provides cybercriminals straightforward access to carry out a multitude of attacks.
So while they maintain their ease, organizations with the like-mindedness of SpyCloud to disrupt cybercrime have worked quickly (a mere 12 months) to innovate and evolve beyond this simple credential and into something more fitting of user validation and verification in the 21st century.
MAY 2022 – Alliances form to reduce account management friction and improve security
Google, Apple, Microsoft and the FIDO Alliance announced a partnership to create, test and implement frictionless passwordless logins a reality across devices, operating systems and browsers.
The result is the concept of “passkeys,” which uses cryptographic keys stored on a device for account authentication. In their current implementation – and depending on your device or operating system – they synchronize across devices and even to the cloud, allowing sign-in to websites and apps using the same biometrics or screen-lock PIN used to unlock the device.
MAY 2023 – General availability to mass consumer accounts for self-paced adoption
On May 3, 2023, Google announced the availability of passkey logins for billions of its personal Google account users, with workforce account access delivered as a fast follow. This release allows users to move to using passkeys, but they must opt-in to retire their username/password login.
So no passwords = no problem, yes?
A Passwordless Future Still Requires…Passwords
SpyCloud’s analysis of data recaptured from the dark web last year revealed that 72% of users exposed in multiple breaches were reusing previously exposed passwords – passwords that were compromised in a breach or malware infection in prior years. It’s clear that in a world of such persistent password reuse that there has to be a better authentication mechanism than passwords.
But at this time, a passwordless methodology is not a cure to prevent cyberattacks. Is it easier than passwords? For sure. Is it more secure? More secure, yes – but not fully secure. Why?
Passwordless technologies still need a recovery method when all else fails. In the case of Apple, the private key component of the passkey is exported to iCloud, and as this article puts it, “its strength is only as good as the iCloud recovery process.”
The advent of passkeys has already begun to shift attackers’ focus from a user’s primary credentials to their recovery options – which could be the user’s email address, a recovery phrase (which we commonly find in infostealer logs), or a password. We’ve also found that when initially setting up an account for a passkey-enabled site, you do so with….a password.
So passkeys aren’t entirely passwordless, at least in their current implementation.
In our next blog, we cover how another form of authentication data – stolen session cookies – render passkeys ineffective.
With the proliferation of passwords stolen in breaches, it’s been clear for some time that passwords as a sole authentication method have not been viable in protecting against compromise, and even multi-factor has its weaknesses. While the move to passwordless authentication is a solid step forward, no one moves faster than cybercriminals looking to profit by exploiting any and every potential entry point, whether it’s a recovery method or a different type of credential (like session cookies or tokens). Simply put, bad actors will never fail to try to find a way in.