The world’s worst kept secret and the truth behind passwordless technology – Help Net Security

One of the biggest security risks of modern-day business is the mass use of passwords as the prime authentication method for different applications. When the technology was first developed, passwords were perceived by individuals and businesses alike as a sure way of securing access to systems and sensitive data. Today, however, the flaws behind this form of authentication are crystal clear: not only do they make life more difficult for the user, but they also create a false sense of security and leave major holes in a business’s defenses.

passwordless technology truth

Because of that, many companies are starting to transition towards passwordless technology. However, there is still some confusion about what exactly classifies as “passwordless” authentication. Some solutions that may purport to fall within the category simply save and enter the password on behalf of the user or replace it with something that is also insecure like a magic link or one-time password.

Understanding what truly constitutes a passwordless solution is the first step in making the shift towards a more secure future for organizations, as well as removing the frustrations and time-consuming processes that beleaguered users are required to step through simply to verify their identity.

The risks behind passwords

Passwords are one of the most popular ways for criminals to hack into business networks and consumer accounts. In fact, the Verizon 2021 Data Breach Investigations Report found that 61 percent of breaches over the last year involved login credentials, and haveibeenpwned currently lists more than 11 billion compromised accounts.

The fundamental flaw is that passwords are a “shared secret.” This means that both sides of the exchange are in on the secret (the password) and have it stored. These passwords are stored in a database by the application, making it an obvious target for cybercriminals. Passwords become the proxy identifier for the users, and users often choose passwords that relate to something in their lives, including names and important dates, to make them easier to remember. But this makes it easier for adversaries to guess their passwords and gain entry to sensitive data.

Over recent years, criminals have become more successful than ever in duping their targets to hand over their login details for various accounts. They have deployed fake websites that mimic the real one that can steal the password and then log the hacker into the legitimate website. They have also designed malware that runs on the user’s device and steals credentials when the user types them in. If the passwords are used for multiple accounts, the theft of one password can provide entry into multiple systems. And since users often use easy-to-guess passwords like their favorite football team or movie character, adversaries can simply employ brute force techniques where they systematically stuff popular passwords into login pages to gain access.

While some users have followed expert advice and opted for more complicated passwords with the help of a password generator, they remain at risk because the techniques previously mentioned (phishing sites and credential theft malware) simply don’t care whether the password is four or four hundred characters long.

Even password managers, which securely store passwords, aren’t a reliable solution. When a phishing email makes it to the inbox and a password is automatically submitted into a fake site by the password manager, the criminals still come out on top. These methods leave users and organizations thinking they are safer than they are. At the end of the day, authentication that relies on a “shared secret” can and will be hacked.

Understanding the alternatives

Given all the associated drawbacks of passwords, the headaches they create for users and the security risks and management overheads that organizations are burdened with – from password resets to account recovery – the search for more streamlined, secure ways to verify users and their identities should be a strategic security priority.

However, caution should still be exercised when considering alternatives that may appear to be “passwordless.” Any method that uses a shared secret can be hacked. Adding another safeguard to passwords in the form of multi-factor authentication (MFA) comes with its challenges. Besides the additional, often inconvenient steps it creates for users, legacy MFA approaches still rely on passwords as the initial security check, so the weak point in the security chain has not been removed.

Cybercriminals can hijack the password and the MFA codes via man-in-the-middle or man-in-the-endpoint attacks and then start a rogue session. Two shared secrets are not much more secure than one. Any MFA solution that relies on a second factor that can be stolen is simply not secure enough to outsmart modern attackers.

A truly passwordless approach removes both the security risks inherent in passwords and legacy MFA approaches that rely on passwords or other forms of shared secrets. A sound approach is to eliminate the password from the login flow, the application database and the account recovery flow and replace it with something inherently secure. The most reliable way to replace passwords is to use proven public/private cryptography so that no shared secrets are exchanged. This is the same approach used to protect financial transactions across the internet in the form of TLS. Transport Layer Security (TLS), indicated by the lock icon in the browser, proves the user is communicating with the legitimate server and that they are communicating over a secure/private channel. TLS uses public/private key cryptography to validate the server and to set up the secure communications channel.

Passwordless authentication based on public/private key cryptography securely stores the private key on the user’s device itself. The most secure solutions store the key in specialized hardware and are available on modern devices (PCs, phones, and tablets) so that the private key never leaves the device and remains unknown to all parties. The public key is made available to the applications a user wishes to access, but the public key cannot be used to access the system. During login, a certificate, signed with the private key is sent to the server where the public key is used to validate that the certificate was signed by the associated private key, thus confidently authenticating the user without any shared sacred secret exchange. Not even the user is made privy to the private key, so there is nothing that can be recorded and accidentally lost or passed on.

Conclusion

The risks posed by compromised credentials is one of the biggest threats facing organizations today. As more IT and security leaders come to realize and fix the security holes created by passwords, we stand a better chance of protecting against cybercriminals intent on hacking organizations and stealing data.

Replacing old solutions with passwordless technology is a fundamental way of strengthening an organization’s defenses, as well as eradicating the frustrations felt by users in the verification processes. The benefits of passwordless are already being recognized, and as traction increases, more businesses will join the move towards a safer future. We need to move rapidly towards a world where we never have to ask another user to create a password.

Source of this news: https://www.helpnetsecurity.com/2021/11/11/passwordless-technology-truth/

Related posts:

Hacked via linux - Pathogen, Trojan, Spyware, and Malware attacks Removal Help - BleepingComputer - ...
Hi guys,               Ive been encountering this problem for months, my home pc and phone has been penetrated. Someone is changing installations via cmd and ...
April Week 1 - iProgrammer
This weekly digest is an extended version of the newsletter emailed to subscribers every Wednesday. As well as listing the week's news items, it also includes the week's Book Review, additions to Boo...
Afterwards Knows the Ballon d'Or Winner. No, He Should not Tell. - The New York Times
Girl, of course , many of the names employ a very clear majority behind them. “For the men, maybe 20 as well as 22 players will be notable to everyone, ” you said. “We discuss one more eight or 1...
What Makes Static Residential Proxies Special? - Latest Digital Transformation Trends | Cloud News -...
You have probably heard about static proxies and wondered if the hype surrounding them is a marketing stunt intended to drive more sales of the proxies or are they factual claims. And if the claims a...
Why are some investors still supporting the dying fossil fuel economy? - Royal Dutch Shell plc .com
independent.co.uk Clean energy is the future – so why are some investors still supporting the dying fossil fuel economy? Institutional forces continue to prop up the fossil fuel economy, while ...
Cyber-terrorist targeting outdated versions at Linux in the cloud tutorial Security Magazine
<! -- |""|class i|section i. existence|thesaurus of english words and phrases|words expressing abstract relations|%|1. being, in the abstract} Hackers targeting outd...
Roblox keeps crashing on Windows PC - TWCN Tech News
Here is a full guide on how to fix the issue of Roblox crashing on Windows 11/10 PC. Roblox is a great gaming platform to play a variety of games. However, a lot of users have complained that Roblox ...
Proxy Services Are Not Safe. Try These Alternatives - Wired
Millions of people across the world use free proxy services to bypass censorship filters, improve online security, and access websites that aren't available in their country. But an analysis has foun...
Subsequent Article Shotcut 21. 06. 29 - Neowin
Shotcut is a free, open source, cross-platform video editor for Microsoft os, Mac and Linux. Basic features include support regarding your wide range of formats; no significance required meaning ...
Joe biden defends U. S. airstrikes on Iran-backed militia by means of self-defense - New York Daytim...
Talking to reporters at the White wines House before a meeting suffering from outgoing Israeli President Reuven Rivlin, Biden said he “authority under Article II” for this particular Sunday stri...
How to Install Etherpad Lite on Ubuntu 20.04 LTS - H2S Media
Learn the steps to install and use Etherpad on Ubuntu 20.04 focal fossa /18.04 Bionic Beaver LTS/ Debian Linux distros for a free and open-source collaborative text editor. EtherPad is a real-tim...
Rainbow Six Siege ranked tips: 5 to help you succeed - TheTech52
Rainbow Six Siege (RSS) is one of the most popular online tactical shooters in the gaming market. It offers both a first and third-person perspective for the players based on their preferred style wh...
What Your IP Address Says About You - Lifehacker Australia
You might not know it, but your IP address is a valuable piece of information. When people combine your IP address with other types of information, they can get a surprisingly close understanding of ...
ESET takes part in global operation to disrupt Zloader botnets - We Live Security
ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addresses ESET has collaborated with partners Microsoft’s Digital Cri...
10 best proxy server services (free & paid) in 2021/2022 - FingerLakes1.com
Your online activities are not saved on your computer when utilizing a proxy server; instead, they are sent to the proxy server. It improves the security and anonymity of your web browsing.However, b...
Open Secure Plant Migration | WWD - Water & Wastes Digest
Migrating from legacy system to modern controls The PLCs that the East Cherry Creek Valley (ECCV) Water & Sanitation District had been using to control the potable water treatment facilities and ...
Fix 'There Is Something Wrong With the Proxy Server' Issue in Chrome on Windows - BollyInside
This tutorial is about the Fix ‘There Is Something Wrong With the Proxy Server’ Issue in Chrome on Windows. We will try our best so that you understand this guide. I hope you like this blog Fix ‘Ther...
Marcus Stroman's 2021 contract is literally sign of the future - New jersey Daily News
Between his in the midst of in an organizational smear for the reporter harassed by personnal right hand man, in addition to other stuff, former Houston Astros GM Jeff Luhnow has gone little to a...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30