scorecardresearch
Is passwordless authentication the new reality to eliminate password attacks?

Is passwordless authentication the new reality to eliminate password attacks?

Tech experts have been arguing for long about issues arising from using passwords. Is it time to eliminate it altogether?

For many users the password is simply password@12345, name@12345, or their date is birth or anniversary date which can be daily cracked using the publication of information available through email ID and social profiles. For many users the password is simply password@12345, name@12345, or their date is birth or anniversary date which can be daily cracked using the publication of information available through email ID and social profiles.

Be it signing into a social media account, mobile banking, or our workplace, all our online accounts require a username and password. As creating a new, different password for every type of account and remembering it is kind of a challenge, most of us end up reusing passwords across accounts.

According to a study by Michigan-based Ponemon Institute, which is known for its research on issues of privacy and information, people reuse an average of five total passwords, both business and personal. This means a single compromised password can create a chain reaction of liability.  

For many users the password is simply password@12345, name@12345, or their date is birth or anniversary date which can be daily cracked using the publication of information available through email ID and social profiles. Although of late, tech companies have introduced two-factor authentication and made special characters and numbers mandatory for a password, all this is still not foolproof.

A reason why the industry is actively moving towards a passwordless world. In fact, although it might sound a bit too much, but according to Microsoft Azure Active Directory (Azure AD) authentication log data 2022, there are 921 password attacks every second—nearly doubling in frequency over the past 12 months.

How does passwordless authentication work?

A passwordless authentication is a form of multi-factor authentication that replaces the password with a secure alternative. This technology verifies a user account using a combination of more secure authentication factors such as a fingerprint, PIN, device specifications or its location, and digital tokens, among others. But it is not as if multi-factor authentication is brand new. In fact, two-factor authentication has been an option for many years on several email accounts.

Moreover, using any combination of a password, PIN or biometric, along with a one-time password (OTP), is widely prevalent, and even necessary, for most consumer apps, especially financial ones. However, this still requires a human to do all the legwork. What passwordless authentication aims to do is remove as much of the human element as possible.

This type of authentication requires two or more verification factors that are secured with a cryptographic key pair to sign in. The device creates a public and private key when registered. The private key can only be unlocked using a local gesture such as a biometric or a PIN, while the public key is encryption, like a large numerical value, that is either software-generated or provided by the organisation and made available to all employees, in case of enterprise deployment.

Is passwordless authentication secure?

Wondering if passwordless authentication is safe, here is what Mark Risher, Director of Product Management, Identity and User Security, Google told Business Today last year.  “It is perfectly safe to use passwordless authentication, and it can even be safer than the traditional username/password approach,” Risher had said.

The tech behemoth has adopted a passwordless authentication standard called FIDO, or Fast Identity Online, for its employees and temporary vendor base globally. “Since doing that in 2017, we’ve had zero cases of password phishing. We have since been working on ways to roll this out for our users externally,” said Risher.

Passwordless authentication not only offers a secure login environment, but also eliminates weak and bad actors, and it is being increasingly adopted by enterprises globally, including financial, IT, telecom, retail, and healthcare companies in India as well as by some government services, such as Aadhaar. This growth is being driven by digital transformation initiatives, the alignment with zero-trust initiatives for digital identity, the adoption of a decentralised identity model, as well as the need to bolster defences against ever-rising, more sophisticated cyberattacks.

In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft plans to expand support for a common passwordless sign-in standard which has been created by the FIDO Alliance and the World Wide Web Consortium.

Also read: Garmin’s Vivomove Sport hybrid smartwatch launched in India for Rs 18,990

Also read: Passwordless is the future; Apple, Google, Microsoft to roll out FIDO passkey tech

Also read: Cisco’s Duo launches data center in India to meet data localisation requirements  

Published on: May 06, 2022, 11:53 AM IST
Posted by: Mehak Agarwal, May 06, 2022, 11:48 AM IST