The world’s worst-kept secret and the truth behind password-less technology


One of the biggest security risks in modern businesses is the massive use of passwords as the primary authentication method for different applications. When the technology was first developed, passwords were viewed by individuals and businesses as a secure way to secure access to sensitive systems and data. Today, however, the loopholes behind this form of authentication are clear: not only do they make life more difficult for the user, but they also create a false sense of security and leave significant loopholes in a company’s defenses. business.

Because of this, many companies are starting to switch to passwordless technology. However, there is still some confusion over what exactly is considered “no password” authentication. Some solutions that may claim to fall into the category simply save and enter the password on behalf of the user or replace it with something that is also not secure, like a magic link or a one-time password. .

Understanding what truly constitutes a password-less solution is the first step towards a more secure future for organizations, as well as removing the frustrations and tedious processes that besieged users have to go through just to verify their identity.

The risks behind passwords

Passwords are one of the most popular ways for criminals to hack into corporate networks and consumer accounts. In fact, the Verizon 2021 Data Breach Investigations report found that 61% of breaches over the past year involved login credentials, and have been currently lists over 11 billion compromised accounts.

The fundamental flaw is that passwords are a “shared secret”. This means that both sides of the exchange are on the secret (the password) and have it stored. These passwords are stored in a database by the app, making them an obvious target for cyber criminals. Passwords become the proxy ID for users, and users often choose passwords that relate to something in their life, including names and important dates, to make them easier to remember. But it makes it easier for opponents to guess their passwords and gain access to sensitive data.

In recent years, criminals have been more successful than ever in deceiving their targets into giving them their login details for various accounts. They deployed fake websites which mimic the real one which can steal the password and then connect the hacker to the legitimate website. They also designed malware that runs on the user’s device and steals the credentials when the user enters them. If passwords are used for multiple accounts, theft of a password can allow access to multiple systems. And since users often use easy-to-guess passwords like their favorite soccer team or movie character, opponents can simply use brute-force techniques where they systematically insert popular passwords into login pages to get there. to access.

While some users have taken expert advice and opted for more complicated passwords using a password generator, they remain at risk because the previously mentioned techniques (phishing sites and malware theft credentials) just don’t care if the password is four or four. a hundred characters.

Even password managers, which store passwords securely, are not a reliable solution. When a phishing email reaches the inbox and a password is automatically submitted to a fake site by the password manager, the criminals always come first. These methods let users and organizations think they are more secure than they are. Ultimately, authentication that relies on a “shared secret” can and will be hacked.

Understanding the alternatives

Considering all the downsides associated with passwords, the headaches they create for users, and the security risks and management overheads that organizations face – from resetting passwords to recovery Accounts – Finding more streamlined and secure ways to verify users and their identities should be a strategic security priority.

However, caution should always be exercised when considering alternatives that may appear to be “no password”. Any method that uses a shared secret can be hacked. Adding further protection to passwords in the form of multi-factor authentication (MFA) has its challenges. In addition to the extra steps, which are often inconvenient for users, legacy MFA approaches still rely on passwords as the initial security check, so the weak point in the security chain has not been removed.

Cyber ​​criminals can hijack the password and MFA codes via man-in-the-middle or man-in-the-endpoint attacks and then start a malicious session. Two shared secrets are not much more secure than one. Any MFA solution that relies on a stealable second factor is simply not secure enough to outsmart modern attackers.

A truly password-less approach removes both the security risks inherent in passwords and legacy MFA approaches that rely on passwords or other forms of shared secrets. A smart approach is to remove the password from the login stream, application database, and account recovery stream and replace it with something inherently secure. The most reliable way to replace passwords is to use proven public / private cryptography so that no shared secrets are exchanged. This is the same approach used to protect financial transactions over the Internet in the form of TLS. Transport Layer Security (TLS), indicated by the lock icon in the browser, proves that the user is communicating with the legitimate server and communicating through a secure / private channel. TLS uses public / private key cryptography to validate the server and configure the secure communication channel.

Passwordless authentication based on public / private key cryptography securely stores the private key on the user’s device itself. The most secure solutions store the key in specialized hardware and are available on modern devices (PCs, phones and tablets) so that the private key never leaves the device and remains unknown to all parties. The public key is made available to applications that a user wishes to access, but the public key cannot be used to access the system. Upon connection, a signed certificate with the private key is sent to the server where the public key is used to validate that the certificate has been signed by the associated private key, thus authenticating the user with confidence without any sacred secret exchange. share. Even the user does not have access to the private key, so there is nothing that can be saved and accidentally lost or transmitted.


The risks posed by compromised credentials are one of the biggest threats organizations face today. As more IT and security managers realize and fix the security holes created by passwords, we stand a better chance of protecting ourselves against cybercriminals who seek to hack into organizations and steal data.

Replacing old solutions with password-less technology is a fundamental way to strengthen an organization’s defenses, as well as eradicate the frustrations that users experience in verification processes. The benefits of passwordless are already being recognized, and as traction increases, more and more businesses will join the trend towards a more secure future. We need to move quickly to a world where we never have to ask another user to create a password.

Source link

Leave A Reply

Your email address will not be published.