Has the passwordless future finally arrived?

It’s an unavoidable fact of modern life that a person’s digital security is tied up in dozens – potentially hundreds – of usernames and passwords, across personal and work accounts. We’ve written previously about the importance of maintaining secure password habits within an organisation, but ultimately even the best passwords imaginable leave much to be desired on the security front. As an organisation, however, you have the potential to dictate the methods of authentication used within your systems. As new authentication approaches gain popularity, has the time finally come to excise passwords from the equation entirely?

It wouldn’t be before time. While the methods attackers take to compromise organisational security vary, compromised credentials are a factor in attacks up to 80% of the time. Just this year, we’ve seen multiple high-profile news stories on UK schools being hit by such attacks, resulting in confidential information about students and teachers being released onto the dark web. Purely credentials-based authentication systems are seen as easy targets to attackers, and an organisation has a responsibility to bolster their authentication security wherever possible – both for the safety of their systems, and the sensitive data of those they employ.

Unfortunately, any organisation looking to do so will run into the same problem – namely, the prevalence and familiarity of passwords. Everyone is used to passwords and being expected to use them. It’s because of this ubiquity that most authentication methods work on top of existing credentials-based systems, rather than replacing them entirely and potentially causing significant disruption within the organisation. The most common way of doing so is to ask users for an additional piece of authentication that represents either something the user has (e.g., a dedicated hardware key, or a code generated on or sent to a designated device) or something the user is (biometric data, such as fingerprints or facial recognition). By requiring the user to prove their identity in this way, organisations can help ensure that bad actors aren’t able to access accounts by simply stealing something the user knows (i.e., their password). Instead, they would need to also have access to a physical object, or the user themselves, to pass the additional authentication checks.

This forms the basis of multi-factor authentication (MFA), which is already common across many online services, and which most people will already be familiar with. Given this familiarity, it’s likely that implementing MFA would cause minimal disruption among an organisation’s users, but it’s important to note that it’s not a ‘silver bullet’ solution. A recent attack on Cloudflare illustrated how bad actors can still circumvent the more basic authentication factors available in an MFA implementation, in an attempt to gain access to organisational resources. Hardware keys represent the more secure end of the spectrum, being more resilient to attacks but at the same time more disruptive to day-to-day user workflow. These are physical devices that are either directly plugged into the device asking for authentication, or connected to it wirelessly using Bluetooth or NFC. Given their physical nature, hardware keys provide a very effective barrier against attackers who are typically geographically remote, and whose skills are based around digital infiltration rather than physical burglary. Of course, at the same time, the requirement of a physical object means that legitimate users must always have the object to hand, and have the familiarity and confidence to use it on a regular basis – depending on the organisation and its staff, this can be a tall order.

Then there is also the issue of the myriad different services and accounts that an organisation may require its staff to use on a day-to-day basis, and ensuring that each is similarly secure. In an effort to avoid multiplying numbers of credentials users need to memorise or store securely, organisations may look to simplify matters by implementing single sign-on (SSO) authentication. SSO is another authentication method that’s begun to gain in prominence, particularly among larger organisations. It aims to simplify the log-on process by using a single third-party service provider to handle the authentication process on behalf of multiple different services. Many will be familiar with this process in the form of websites that provide the option to ‘Sign in with Facebook’ or similar – essentially allowing the user to access a new service without creating a new set of credentials to go along with it. These providers vary in their suitability for the purpose – it’s unlikely that a security-conscious organisation would look to use Facebook, but offerings such as Cisco Duo can provide the high levels of security and reliability needed to safeguard sensitive organisational data.

By using a single provider to manage the credentials for multiple services, the user no longer has to remember or securely store additional credentials outside of those used for the single provider. By the same token, however, it means that if the account with the single provider is compromised, so too are all the services associated with it. For this reason, it’s sensible for SSO to be combined with strong MFA on the single provider, and it’s vital that the provider chosen for this task is suitable, given the security required. If the organisation is in a situation where they can stipulate the use of a single, highly-secure provider, then SSO can be used in conjunction with MFA to provide a unified, highly secure user experience across different systems and services.

Even with these implementations, however, passwords remain at the root of the authentication process, and continue to be insecure and easily stolen – though their efficacy on their own is dramatically diminished. Recently, there has been a concerted push towards a new authentication method that does away with passwords entirely, called passkeys. Unlike passwords, passkeys cannot be stolen through phishing attacks or exposed through data breaches, because in actuality they are a pair of keys – a private key saved to a device the user has access to, and a public key registered with whichever app or website the account exists with. When a user signs into this account using a passkey, their private key is verified by the public key without ever leaving the user’s device – meaning it can’t be phished or stolen. The public key, meanwhile, contains no secret information, and is useless unless paired with the private key. As far as the user is concerned, using a passkey is as simple as unlocking their device as usual, be that via fingerprint or passcode, when prompted to do so. Because attackers would require access to both the device and whatever method is used to lock the device, passkeys effectively provide the security of a discrete hardware key contained within a device that the user would ordinarily have with them anyway.

Of course, there are downsides to any authentication method. In the case of passkeys, its relative infancy as a technology poses some issues. Firstly, while passkeys are now supported on all major operating systems, devices that are capable of using passkeys have only become available in the past few years, so users with older devices will be unable to take advantage of the method. This is likely to be a substantial roadblock for any organisation that doesn’t provide its staff with modern work devices. Similarly, the services that offer the use of passkeys are still very limited, and will remain so until devices that do not support the technology eventually age out of common use.

Ultimately, then, this means that while there is finally a viable alternative to passwords available for use, it will still be several years until most services offer it as an option. For organisations that provide modern work devices to all employees, and that only require authentication to the few major services that accept them, passkeys may be a viable authentication method that can offer substantial security benefits. In the vast majority of cases, however, a strong MFA implementation remains the most effective way of limiting the vulnerabilities that passwords represent. If your organisation is looking to implement stronger authentication as part of their digital transformation journey, get in touch at security@itgl.com to talk about your options – as well as how authentication can tie into broader security approaches like network segmentation and Zero Trust.