Passwords have gotten a lot of attention lately. Why? Because they pose a double threat with hackers and users. According to the Verizon 2023 DBIR, 86% of breaches involve stolen, weak, or default passwords. Of those breaches, 74% involve the human element, which includes social engineering attacks, errors, or misuse.
Passwords were never the ideal security solution for the modern, interconnected world. Much of what we do today is online — work, school, citizen services, shopping, and more. And what's the first thing users are hit with every time? The dreaded username and password prompt before the journey can continue.
Furthering the problem is the fact that the average internet user has 240 online accounts that require a password. Are we really expected to have a unique password to remember for each account? Hackers know all too well the answer is no, making passwords a ripe opportunity for hackers but a significant threat to everyone else.
Some of the challenges passwords create for users are directly responsible for their security shortcomings, and include:
Complexity: Many systems require complex passwords, which make them more difficult to crack — and more difficult to remember. As a result, users rarely change their passwords — if credentials are scraped in a data breach, they may be exploited again and again.
Reuse: Consumers have numerous online accounts, and many people use the same passwords again and again. This means that if one account has been compromised, attackers may have access to multiple accounts.
Password resets: When users forget their passwords, they must endure a time-consuming reset process, resulting in lost productivity, account lockout, and high rates of abandonment. The fact that most password reset requests send a link to a user's email address makes them vulnerable to interception.
How passwords are stolen
Attackers have a range of tools at their disposal, some of which have been around for years and some that are emerging. In particular, the use of generative AI has the potential to crack passwords and develop new methods of attack far faster than humans ever could.
Social engineering and phishing
Social engineering techniques or phishing attacks often trick users into revealing their passwords through fake emails, websites, text messages, and phone calls, and it is becoming difficult to distinguish fake messages from legitimate ones. Business email compromise, for example, involves impersonating executives within an organization to convince employees that the email is legitimate and to follow its instructions, which may include exposing intellectual property and other sensitive data.
In a brute-force attack, attackers systematically try all possible combinations of passwords until they find the correct one. With the tools and software programs available today, including generative AI, sophisticated attackers can rapidly attempt billions of password combinations, making weak passwords especially vulnerable.
Credential stuffing attacks
Attackers take advantage of people who reuse passwords across multiple accounts by using stolen credentials to gain unauthorized access to other accounts. This type of attack relies on the fact that many users — half, according to TechRadar — use the same password for multiple accounts.
MFA prompt bombing
Not even multi-factor authentication (MFA) is immune to attacks. One of the most sophisticated authentication attacks over the last couple of years is known as MFA prompt bombing. This social engineering attack relies on inattentive users absentmindedly approving mobile push notifications set off by bad actors, allowing the attackers to essentially defeat MFA.
There are several types of malware created specifically to steal usernames and passwords along with other sensitive information. Keyloggers, for example, record a victim's keystrokes so the attacker can steal login credentials. If clipboard hijacking malware is installed on a user's device, it can monitor the clipboard for sensitive information, which it sends to the attacker. And a credential harvester is a malicious extension to a website or application — once installed it records any information users enter during the login process.
Attackers have begun training AI engines to crack passwords, perform account takeover (ATO), and develop and automate new malware. They can use generative AI to create more sophisticated and targeted phishing attacks that appear far more convincing than those of the past.
Because generative AI makes it much easier to impersonate others, malicious actors are using it to deliver attacks known as “deepfakes” and create synthetic identities. Synthetic identities combine a real identifier, such as a Social Security number or date of birth, with falsified personal information (name, contact information) to create a new, fictitious identity. These fake identities can be used to apply for and obtain loans and credit cards, open accounts, or submit false claims for unemployment or medical care.
It's time to go passwordless
There are multiple ways to make it harder to steal passwords, but the only way to eliminate the threat completely is to eliminate passwords. Passwordless authentication removes the need for a password and minimizes the threats related to credential-based attacks, including account takeover (ATO), fraud, and data breaches. Not only are data breaches costly in the short term, but they can have long-term consequences. A recent survey, for example, showed that 78% of Americans are wary about doing business with a retailer that has experienced a breach.
By going passwordless you not only get better security but you can also increase workforce productivity and customer satisfaction by removing access barriers to systems and online services. The result? A secure business with happy users and less time and money spent on helpdesk support.
How to go passwordless
When it comes to passwordless, one size does not fit all. That's true for the enterprises that implement passwordless and it's true for users — people want choices. No matter where you are on your passwordless journey, there are steps you can take today to eliminate passwords.
- Offer a passwordless factor: Various methods can be used as a multi-factor authentication (MFA) factor, such as push notification, one time passcode (OTP), or emailed magic links. A passwordless factor reduces friction and improves on the security of a standard login, but cannot be characterized as passwordless because it relies on usernames and passwords. A passwordless factor is a great choice for applications where passwords cannot be eliminated completely. Consumer-facing sites and applications may offer several approaches, depending on their customers' devices and preferences.
- Provide a passwordless experience: The password is still present for those legacy apps that require it, but it's handled securely in the background, so users don't have to enter or even see it. This experience further reduces friction in MFA and improves security. Since the user doesn't interact with a password, you eliminate many of the risks associated with social engineering and generative artificial intelligence (AI) that can compromise something that users know — their passwords.
- Deliver complete passwordless: In this scenario, authentication occurs without the use of passwords. Instead, users can employ biometrics and private-key cryptography. Passkeys give users a simple and secure way to sign in without passwords by relying on Face ID or Touch ID. Since the user doesn't have a password — no password even exists — you eliminate all of its security risks and usability issues. Apple, Google, and Microsoft — the makers of so many popular devices, browsers, and operating systems — have rolled out support for the FIDO2 Web Authentication (WebAuthn) standard and passkeys, making it even easier to adopt passwordless authentication.
From better security to reduced costs and increased revenues, the elimination of passwords should be a board-level priority for every organization.
Interested in going passwordless but not sure where to start? Download 7 Steps to Passwordless Authentication: Best practices and questions to ask IAM providers.