No passwords allowed

Passwords are the most common and familiar way of authenticating users and granting them access to online accounts and data. However, passwords are also one of the most vulnerable ways of securing digital resources.

Passwords can be easily obtained on the black market, leaked, or cracked by hackers, and they can cause frustration and inconvenience for users who have to remember and manage multiple passwords. Could going passwordless be a viable alternative to continually managing and strengthening passwords?

The Problem with Passwords

According to Francois Scheün, Systems Engineer at Fortinet South Africa, passwords are one of the weakest links in the cybersecurity chain. Despite awareness campaigns around the risks of weak passwords, many users still rely on simple and predictable passwords such as ‘admin’, ‘qwerty’, ‘12345’, and ‘password’. 

These passwords can be easily guessed or cracked by hackers using brute force or dictionary attacks. The 2022 Verizon Data Breach Investigations Report revealed that 82% of attacks exploited the human element, often the user identity itself. Insufficient policies or enforcement around password management increase the likelihood of a security breach. In fact, compromised credentials are involved in nearly 50% of attacks.

Scheün points out that one of the reasons why users choose weak passwords is that they have difficulty remembering the long and complex combinations of letters, numbers, and symbols that make passwords stronger.

“Humans have cognitive limitations when it comes to memorising random strings of characters for every account and site they use,” he says. “They tend to resort to easy-to-remember words and phrases, or sequential letters or numbers. Worse, they tend to reuse the same passwords across multiple sites and accounts.

“This exposes them to password-based attacks, such as credential stuffing, where hackers use leaked password databases to try to access other accounts with the same credentials. Password extraction strategies such as phishing and social engineering are also becoming more sophisticated and convincing.”

The Advantages of Passwordless Authentication

Passwordless authentication is a method that allows a user to log into a digital resource such as a banking website, without entering a password. Instead, they are verified and granted access using tools such as biometrics, facial recognition, hardware, or digital tokens.

“Passwordless authentication reduces the risk of compromise because there is nothing that can be stolen or leaked like there is with regular passwords. Another significant benefit is convenience. Passwordless access eliminates the hassle of memorising passwords and possibly risky behaviours like password reuse or maintaining password lists.”

Another way to simplify secure access is Single Sign-On (SSO), an identification method that enables users to log in to multiple applications and websites with just one set of credentials.

SSO streamlines the authentication process for users. When a user logs in to an application, they are automatically signed into other connected applications, regardless of the domain, platform, or technology they are using.

Says Scheün: “An example of SSO is when a user logs in to Google and their credentials are automatically authenticated across linked services, such as Gmail and YouTube, without having to separately sign in to each individually. This eliminates the need to manage and remember multiple usernames and passwords across various accounts and services.”

Fortinet offers easy deployment of SSO with centralised identity management that authenticates users with both traditional and modern web and cloud authentication protocols.

Biometric authentication is one of the most popular forms of passwordless authentication, as it leverages the unique identification features of users such as fingerprints or facial recognition. However, the technology has some drawbacks as well, says Scheün.

“Biometric authentication relies on the fact that unique identification features such as fingerprints will not change much, if at all, over the course of their lifetimes. This also means that if a data breach occurs and a central repository is compromised, the fingerprints of those users will always be at risk.”

Need for convenience

Scheün believes that the need for convenience will drive the demand for passwordless authentication.

“The ease of use around using passwordless technologies will accelerate their adoption. Users will connect to digital resources with less frustration and more peace of mind, knowing that they are secure.

“Passwordless authentication is a promising solution to overcome the limitations and risks of passwords and to provide a better user experience and a stronger security posture for organisations. However, passwordless authentication is not yet widely adopted and supported, and it may have its own challenges and drawbacks.

“Also, not all digital resources and platforms have the capability to support passwordless authentication methods currently, but as adoption grows, this will change.”

For example, the global FIDO Alliance is helping to reduce the world’s reliance on passwords by providing open and free authentication standards using UAF, U2F and FIDO2.

Scheün is clear that until passwordless technologies are more mainstream and widely adopted among consumers, it is important to keep following the password complexity best practices and adopt a Zero-Trust approach to securing systems and data.

Zero Trust Access is a concept that requires constant authentication and validation of users, devices, and access and is highlighted by least privileged access to resources. The first stage in the Zero Trust Access ecosystem is to authenticate and validate the user’s identity and the device from which the user is connected. Passwordless technology has the potential to become a key component of this process. For customers looking to protect their most critical assets with a Privileged Access Management solution, a passwordless approach provides enhanced security.

One of the tactics that users should adopt to maintain good cyber hygiene, besides strong passwords, is using multi-factor authentication (MFA) to secure their online accounts. MFA adds an extra layer of protection by requiring additional credentials such as a one-time passcode (OTP) that hackers cannot obtain even if they have the username and password. Fortinet’s identity and access management (IAM) solution offers MFA capabilities that make it harder for cybercriminals to compromise personal information.

Moreover, Fortinet’s FortiToken 400 is an all-in-one USB security key that supports the latest FIDO authentication standards and enables passwordless login for online services. This reduces the reliance on passwords while enhancing security and privacy. 

“A strong cybersecurity education is another key component that is critical to protecting yourself, your family, and your employer from compromise,” says Scheün.