The lowly password is much-maligned as being the weakest link in any company’s security defenses. That’s for good reason: It’s a fact that password reuse, a lack of strong passwords, a failure to change them on a regular basis and other human errors plague the efficacy of this de facto standard for authentication. And that, in turn, has spurred start-ups, established security companies, industry coalitions and government agencies to work on concepts for moving beyond it. But the state of play for these efforts is still immature in terms of adoption.
The stakes are of course high: Nearly all data breaches start with compromised passwords. These are harvested via sophisticated phishing, brute force attacks, social engineering, malware exfiltration and more – and yet, the password remains the first, and sometimes only, line of defense against cyberattacks.
Alternatives to passwords include biometrics (like Apple’s FaceID function), social media authentication (like “Log In with Facebook“), and more unusual ideas like two-tap authentication, where a browser-based button opens an email link to verify a person’s identity. There’s also the FIDO Alliance’s FIDO 2.0 universal two-factor authentication standard, which is being adopted by financial institutions worldwide; and its offshoots, like the World Wide Web Consortium’s WebAuthn approach, which eliminates the password requirement by implementing a cryptographic technique aimed at reducing friction for users.
“The login experience is continually changing based on user demand and the need to protect against today’s sophisticated cybercriminal landscape,” said Martin Gontovnikas, vice president of marketing and growth at Auth0, which is an identity-as-a-service vendor that implements WebAuthn. “Passwordless [approaches are] a signal of the kind of industry change we are all heading toward.”
At least one security researcher, however, has declared that efforts to kill the password are set up to fail from the get-go, because alternate authentication systems have a fundamental usability problem: They require the user to learn how to do something different from what they’re used to.
“The one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone,” said Troy Hunt, creator of HaveIBeenPwned, in a blog published Monday. He added, “As soon as you ask people to start doing something they’re not familiar with, the risk of them simply not going through with it amplifies and defeats the whole point of having the service in the first place.”
Hunt acknowledged the promise of biometric approaches like Apple’s FaceID and FIDO/WebAuthn, but noted, “they don’t replace passwords, rather provide you with an alternate means of authenticating.” He added that with WebAuthn, “the great hope is that it might redefine authentication to online services in an open, standardized way and ultimately achieve broad adoption. But that’s many years out yet.”
Statistics bear out this declaration: While alternatives to passwords are showing up more and more across services and application logins, in the grand scheme of things, these approaches have many inroads to make before they even come close to replacing passwords.
In a survey of its users released over the summer, Auth0 found that only 19.4 percent are using its WebAuthn-based “Passwordless” feature. Social-media verification fares better, with Google leading the pack (60.3 percent), followed by Facebook (24.1 percent). Trailing far behind though are LinkedIn (8.8 percent), GitHub (7.1 percent), and Windows Live (6.8 percent). And only 11.4 percent of Auth0 customers are using risk-based multifactor authentication, which uses factors such as geographic location, IP filtering, type of device and other tell-tale hints for identity verification.
“Adoption rates of MFA are on the low end due to the perception of added friction it supposedly creates for users, but it’s a critical feature for stopping phishing attacks, as well as decreasing the probability of getting hacked,” the report noted.
Those numbers represent a cross-section view of one customer set that already uses a password management platform (Auth0). Percentages across the general corporate population are likely much lower. Setting this against the backdrop of an ongoing explosion of password usage, and it becomes clear that killing the password is perhaps an unrealistic goal.
A report from Cybersecurity Ventures last year found that the number of passwords in use will likely surpass 300 billion by 2020. In just a few years, humans will be using over 100 billion passwords (while the number of people online is expected to grow to a little over 4 billion by 2020), with IoT devices and connected machines accounting for an additional 200 billion passwords.
While passwords are likely to be with us for some time, the prevalence of data breaches may spur corporations to explore alternatives, despite any added user friction that they may introduce: Gartner predicts that, through the end of 2020, enterprises that invest in new authentication methods and compensating controls will experience 50 percent fewer identity-related security breaches than peers that do not.
“Some of these controls can provide other significant security benefits, and implementation can likely be justified on those benefits alone,” said the firm. “A secure email gateway (SEG), for example, can help combat phishing attacks. Other controls are specific to password risks, and the decision to implement should be made on a cost-benefit basis.”
Hunt, for his part, said that companies should look for solutions that “improve the password situation rather than solve it… without fundamentally changing the way people authenticate.”
For instance, Hunt noted in an earlier posting that taking into account anomalies to behavioral norms is a smarter way to beef up authentication security. He recommended not eliminating passwords, but rather implementing a staged access model.
“Once someone is successfully authenticated, should they have full access to all features?” he said. “For example, if it took a few goes to get the password right and they’ve come in from a previously unseen browser in a different country to usual, should they have unbridled access to everything? Or should they be limited to basic features and must verify they still control the registered email address before doing anything of significance?”
Self-proclaimed “password-killers,” on the other hand, are unrealistic in their goals, he argued.
“Every single solution I’ve seen that claims to ‘solve the password problem’ just adds another challenge in its place thus introducing a new set of problems,” he said. “This is why [new approaches are] not a password killer and why, for the foreseeable future, we’re just going to have to continue getting better at the one authentication scheme that everyone knows how to use: passwords.”