A password is like a key to our home. If someone steals it, there are chances he will use it to steal something else. We use these virtual keys everywhere in our life, but the life of an Internet user is absolutely impossible without passwords: e-mail, online discussion groups, e-bank, commercial websites — all of them use password-based authentication.

We use our passwords everywhere and all the time. We are so accustomed to passwords, that we don’t pay any attention to how important they are needed to be secured until someone steals it.

For the protection of our “virtual keys,” we can choose a safe password. That makes a “job” for hackers much more difficult.

How passwords are stored

Closeup Women Fingerprint scan for biometric authentication to unlock security in the BTS Skytrain rails or MRT subway, Business Technology sceurity Concept.

Passwords to access computer systems are usually stored, in some form, in a database in order for the system to perform password verification during authentication. To enhance the privacy of passwords, the stored password verification data is generally produced by applying a one-way function to the password, possibly in combination with other available data. When the one-way function does not incorporate a secret key, other than the password, we refer to the one-way function employed as a hash and its output as a hashed password. Even though functions that create hashed passwords may be cryptographically secure, possession of a hashed password provides a quick way to verify guesses for the password by applying the function to each guess and comparing the result to the verification data. The most commonly used hash functions can be computed rapidly, and the attacker can do this repeatedly with different guesses until a valid match is found, meaning the plaintext password has been recovered.

The massive fallout from these and other data breaches involving weak password authentication schemes show that the current password system is dead. Let’s face it – people simply can’t remember a different complex password (consisting of eight or more letters, numbers, and symbols) for each online account they have – especially when the average Internet user has lots of online accounts that require a password. Add to that the rapidly growing number of mobile applications that also require a password or PIN and people are quickly feeling overwhelmed. It’s time we recognize that the current system is not sustainable or secure. New forms of authentication for websites and mobile applications must emerge. A passwordless authentication is a viable form of authentication that is fast becoming a reality as we can see in multi-factor authentication.

technology of security concept. personal authentication system. mixed media.Many organizations lay the burden of secure authentication at the feet of the users, telling them to simply choose complex passwords. Yet, users have proven time and time again that their nature is to choose weak passwords and use the same password for multiple online accounts which we won’t really blame them for because. Rather than telling people to remember ever-more complicated passwords, online businesses need to completely move away from the archaic password practice and instead move towards passwordless authentication technologies that are both more secure and easier for people to use.

The interconnected nature of the Web creates a domino effect whenever there is a large password breach. Knowing that people often use the same password on multiple accounts, hackers take the passwords and use them the try to access accounts on other websites, thereby harming security at a number of other, unrelated websites. This domino effect, coupled with the vast amount of sensitive information people shared and stored online means that the burden needs to shift from users to the online businesses themselves. Websites must start making strong authentication standard on their websites a priority.

Fortunately, strong online authentication is easier to achieve now than ever before. The availability of cloud-based authentication solutions make it easy for websites to employ technologies that generate one-time passcodes for each login, which can be called a form of passwordless authentication these days, and can be used to replace traditional passwords completely or be added to the password to strengthen the security of the login if the user chose a weak password.

How passwordless authentication works

fingerprint authentication, internet security concept

The goal of passwordless authentications to grant a user access to their online accounts without the need of making use of the traditional password system to authenticate them. In essence, users will not make use of passwords whatsoever to log in to their accounts. Looking at the authentication model, is it feasible, a myth or a reality now.

Is passwordless authentication a reality?

We can consider passwordless authentication has vast becoming a reality thanks to the widespread use of mobile phones and mobile applications that make it possible for websites to employ multi-factor authentication without using hardware tokens, smart cards or biometrics. Some online banks and other security-minded businesses have begun using SMS text messages to send authentication codes to users’ phones or “soft token” applications on user’s smartphones. The touchscreen capabilities of smartphones and tablets also make it possible to use pattern-based or image-based authentication, allowing users to simply tap a few pictures or draw a pattern on the touchscreen to authenticate. All of these methods are ways for organizations to provide users with easier yet more secure authentication.

Is passwordless authentication a myth?

Passwordless authentication is most times called a myth because the current system of authentication which eliminates the need for a password is still not flawless as users will still have to enter some sort of pin or passcode sent to them via email or SMS to authenticate them. However, the fact that these days, most websites and application are adopting two-step, multi-factor authentication is proof that passwordless authentication is evolving rapidly. Pattern-based or image-based authentication if greatly improve could offer a smooth form of passwordless authentication aside other forms of multi-factor authentication.

Edging towards passwordless authentication, some websites choose to provide an extra layer of security by implementing a two-step authentication login using Google or Facebook or Twitter hence making their own authentication totally passwordless and letting Google or Facebook or Twitter handle the authentication using their secured login systems.

Some websites also allow you to use your cell phone in a two-step authentication login. Email providers like Gmail have this feature to help secure your account by having to input a new code that Gmail would send to your phone, each time you logged in.

Passwordless authentication and phishing

person using macbook pro on brown wooden desk

Passwordless authentication will help combat phishers and drastically reduce their activities. Phishing is an attempt via email asking you to provide sensitive information such as usernames, passwords and credit card details by someone masquerading as a trusted company (your bank, shopping site or social media a/c, etc.).

You may be asked to click a link in the email and then input your login credentials on the website you land on. A website which by the way, would be fake. Or you may simply be asked to email the info.

Thankfully, many of these messages land in your junk folder and/or your email service provides a warning message at the top such email.

But to cyber criminal’s credit, some phishing email messages are very believable, and some people fall for them. Just remember that a reputable company will never ask you for your password which can be avoided in the first place if the form of authentication is passwordless.

Should you get an email asking you to enter your login credentials, you should call the company directly to find out if the message is legitimate. Or, you can type in the (publicly known) company’s web address directly into your browser, log on and then make changes to your profile as needed. Do not click on a link in an email that asks you to reveal your details.

Despite the effort of new web technologies in providing some form of authentication, some determined hackers can still get access to your online accounts not necessarily through any lapse on your part but through companies that you have accounts with.

LinkedIn is one of the big web companies that has suffered password security breaches in recent times. If it can happen to them, with all their sophisticated security, it sure as hell can happen to any online web application or sites that make use of authentication.

Conclusion

Passwordless authentication will greatly improve security now that computing power has skyrocketed to such an extent that a simple graphics card can crack a strong password via brute-force in seconds. This means that if a website can’t quickly spot a brute-force attack and lock your account, even your strong password can be hacked.

For now, the majority of the web applications still makes use of the traditional password system to authenticate users so all we can do is to take precautions and exercise extra vigilance when surfing online. By doing this, we can make a hackers’ job much harder.

Until more websites eliminate “dead” password schemes in favor of strong passwordless authentication methods that are easy and safe for users, we’ll continue to see poor password practices on the web, making it easy for hackers to take a data breach at one website and use the revealed credentials to compromise user other online accounts and commit fraud on a number of other websites.

Do you think that passwordless authentication technology is a myth or reality? Do you think otherwise? Does your company have a strategy in place to use passwordless authentication deliver great user experience across your on premise and cloud SaaS applications. For further research and passwordless strategy development consultation, please contact the author at dangata@dangata.com or call 07540 460322

Posted by Dan K Jatau Sr. MSc, PhD, MBCS, MInstLM

Dan K Jatau is a Nottingham, UK-based Information security and technology infrastructure expert and researcher who likes to write about technology subjects from both a business and technical perspective. His current interests are business-driven security architectures, identity and access, the Cloud, virtualization security and all aspects of security. He currently works in security program development and architecture and develops enterprise security programs for SMEs.