The Promise and Limitations of ‘Password-less’ Authentication
By Tal Zamir, CTO of Perception Point
“Please enter your password.”
For those without a password manager to keep track, that’s a prompt that can be stressful, even panic inducing. But beyond the aggravation passwords often cause, the security that a password provides may no longer be worth the tradeoff. Circumventing a password, regardless of its supposed complexity, is often child’s play for today’s shrewd cyberthreat actors – and has been for quite some time.
In May, Google announced its decision to replace passwords with passkeys, the next phase of digital authentication that requires a fingerprint, a swipe pattern, PIN, or facial recognition to verify users’ login credentials. With Apple and Microsoft gearing up for the same transition, password security will soon be, by and large, obsolete.
These security overhauls have taken precedence in response to surging credential theft, mostly via phishing attacks, which rose 50% worldwide in 2022 compared to 2021, largely due to the accessibility of hacking kits and new AI-enhanced phishing tools. By requiring a physical passkey, tech giants intend to make it far more difficult for attackers to gain unauthorized access to user accounts, even in the event that passwords and Multi-Factor Authentication (MFA) codes are compromised. This proactive approach aims to reinforce the security measures of tech giants and provide users with an added layer of protection against sophisticated cyber-attacks.
But passkeys are just one piece of the cybersecurity puzzle. While they’re a promising next step, individuals and enterprises will still need to fortify their security posture even further if they hope to remain resilient against evolving threat landscapes.
A first step toward authentication security
Although not foolproof, ‘password-less’ authentication is a significant improvement over traditional password-based authentication. By using passkeys, users can set up a simple and easy-to-use system for logging into multiple accounts, without the need to remember complex passwords or decipher which password belongs to which account, offering a more convenient user experience. Moreover, passkeys eliminate the risks associated with weak passwords and password reuse, which are common unsafe practices. Shockingly, 85% of people use the same passwords across multiple sites, making them more vulnerable to hacking attacks. While password-less authentication does not guarantee absolute security, it goes a long way towards mitigating password-related risks.
The fact that physical passkeys are harder to steal or replicate than passwords or tokens has led the World Wide Web Consortium, FIDO Alliance, and Microsoft to promote passkeys as the future of user security.
As the transition from password-based authentication to passkey-based authentication gains momentum, it’s crucial for users, employees, and security teams to bear in mind that the password-less approach isn’t entirely immune to hackers. Despite the added security of physical passkeys, attackers can still find ways to exploit authentication vulnerabilities. Notably, there are numerous other threat vectors and hacking techniques that don’t rely on passwords at all, so a passkey alone may not be sufficient to ward off determined attackers. Therefore, it’s essential to remain vigilant and implement other security measures in tandem with passkey authentication.
For example, hackers leverage remote access trojans (RATs) to gain remote-control malware on infected devices in order to take over their apps and access data. Likewise, they can hijack sessions by stealing cookies stored on devices containing login tokens. Advanced social engineering attacks have also emerged as a significant threat. Threats like these, notably business email compromise (BEC), don’t require credential theft, but are still just as concerning, given these attacks doubled in 2022 alone.
In some respects, cybersecurity with passkeys may leave users more vulnerable, considering that with passkeys, if a threat actor does gain access to a user’s device, they can potentially access all the user’s accounts and apps. This stands in contrast to passwords, where the attacker may only gain access to accounts with the same login credentials.
One change may not be enough.
Cyberattacks across the channels most used by businesses for communication and collaboration are growing increasingly sophisticated, with attackers using a range of tactics such as spear-phishing, domain spoofing, and AI-aided impersonation to convince their victims to take a specific action. And because these advanced attacks don’t necessarily involve stealing passwords or user sessions, password-less authentication solutions, when made available, will ultimately be ineffective in preventing them.
Consequently, users and security teams must continue to adopt a multi-layer approach to effectively protect their companies. In addition to improving cybersecurity awareness training, organizations should strive to deploy modern security systems, such as advanced email security and web browser security, that identify and prevent the most advanced and evasive threats from ever reaching their users. Furthermore, the data from the security systems should be correlated to provide SOC and response teams the information necessary to rapidly analyze and remediate incidents,
Striving for a safer cyber-future
The migration towards password-less authentication will certainly be effective in mitigating security breaches. But it cannot be treated as a panacea. Rather, it will become another tool in the cybersecurity toolbelt – just one of many necessary security measures – albeit a crucial one.
Attackers will continue to look for and l exploit gaps even in password-less environments, and thus individuals and organizations alike must take a multi-layered approach if they wish to protect themselves against increasing cyber sophistication.
About the Author
Tal Zamir is the CTO of Perception Point, with a 20-year track record as a software industry leader solving business challenges by reimagining how technology works. He has pioneered multiple breakthrough cybersecurity and virtualization products and prior to joining Perception Point, Tal founded Hysolate, a next-gen web isolation platform operating at the endpoint level. Tal can be reached online at LinkedIn and at our company website.