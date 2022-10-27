In the future, there will be no passwords—because you keep giving yours away
Your smartphone’s ability to scan your face and read your fingerprint are the key to better online security
Passwords have long been the linchpin in the machinery protecting our online accounts. Increasingly, they are seen instead as a weak link—one that some companies want to do away with entirely.
Following the current advice on how to securely log in to our accounts can feel like trying to keep up with how many blades are on the latest disposable razor. The guidance has changed over the years, from simple, memorizable passwords to unpronounceable strings of characters customized for each account, and stored in password managers. Most recently, we’ve been admonished that every login needs a second proof of identity, known as two-factor authentication—usually a number sent by text or email.
It’s clear now—before most people have started using two-factor authentication—that even that is merely another speed bump for hackers who want to get into our personal and work accounts. Even relatively unsophisticated hackers can rent systems by the hour that can get past such defenses. One such attack led to the theft of login credentials from almost 10,000 people across 130 organizations this summer, despite those accounts being protected by two-factor authentication, according to a report from cybersecurity firm Group-IB.
I wrote recently about how big tech companies are embracing “zero trust" approaches to security, and these trends are related. Companies and their networks can no longer trust when we enter our password and two-factor code that we are who we purport to be.
That’s partly because humans are trusting—gullible, even—and partly because the efforts to exploit that trait are constantly increasing. The number of unique websites used for so-called phishing attacks, which are designed to trick people into revealing their passwords, reached an all-time high in the second quarter of 2022, topping 1 million sites, according to a report by the Anti-Phishing Working Group, a tech-industry nonprofit. That’s a fourfold increase from the number of unique domains used in phishing attacks in early 2020.
Measured another way: “We are now seeing north of 1,000 password attacks per second in our systems," says Alex Weinert, director of identity security at Microsoft.
Which is why Microsoft, Apple, Amazon, Google and hundreds of other tech companies are collaborating on closing this truck-size hole in internet security by doing something counterintuitive: For most of us, in most circumstances, they propose eliminating passwords altogether.
What ‘passwordless’ really means
Login systems that rely on human-readable information—passwords, push codes and the like—are all hackable no matter how many secret pieces of information we use to secure them, or which big tech company is responsible, says Ofer Maor, chief technology officer and co-founder of cybersecurity incident-response company Mitiga.
“In the last few months, everything that came to us started with a circumvention of two-factor authentication," says Mr. Maor. Big companies or small, “it doesn’t matter, they all fall to the same adversary-in-the-middle and push-fatigue attacks."
Adversary-in-the-middle is industry parlance for phishing attacks that trick users into entering their password and a second factor—like a code sent via a push alert or a text message—on a fake website that looks like the real thing. And push fatigue is what happened in the recent Uber Technologies hack. A contractor with access to Uber’s systems got tired of being spammed by push alerts requesting authorization to login to an account, and finally approved one.
In a passwordless system, things are different. No human-readable information is transmitted between any device and the internet. All communication is encrypted. Your identity is verified when your device—say, a smartphone—sends a one-use code that only that phone could have generated. In this way, your device becomes your password.
The reason no one can just steal your phone and log into your accounts is, of course, that it’s secured with some kind of biometric—like your face or fingerprint. This is one reason why biometric readers are making their way into laptops, desktops and a variety of other devices.
Such a system eliminates the possibility of a phishing attack, says Andrew Shikiar, executive director of the FIDO Alliance, short for “Fast Identity Online." It does this by completely removing the weak link—the human—from the login process. The FIDO Alliance, a who’s who of consumer tech companies, has for more than a decade been collaborating on passwordless—really, device-based—login systems. Alliance members like Apple, Google and Microsoft say they are close to rolling them out in the real world.
“The cool thing about FIDO, is it’s the first time I’m aware of that we started from, ‘What does authentication in the cloud world need to work like?’" says Mr. Weinert of Microsoft. “The people who worked on the standard, who are from many companies, were really thinking through, what does it mean to make it unphishable and unguessable," he adds.
Device-based authentication that can eliminate passwords isn’t new. For more than a decade, some companies with especially secure systems have had users plug a USB-based device into their work laptops, which wouldn’t connect to corporate or government networks without them. Still, only 16% of companies offer their employees the option of a passwordless login, according to a report earlier this year from Hypr, which sells such systems.
What’s making the broad rollout of passwordless systems possible now is, primarily, that biometric sensors that can recognize us have become nearly ubiquitous, says Todd McKinnon, CEO of identity-management company Okta.
“Ten years ago you didn’t have Touch ID, and Face ID, and Windows Hello," he adds. “Ten years ago you had some weird thing that you plugged into your USB port. Is a normal user going to use that?"
In addition, we all have devices on our person at all times that are capable of the cryptographic calculations required to make a secure connection to systems on the internet, says Mr. Maor of Mitiga. The combination of the two—devices always at hand, and biometrics to easily log us into them—make passwordless login systems not just possible but convenient, he adds.
From two-factor to whatever-factor authentication
Depending on how secure an organization wants to make its systems, a ‘passwordless’ login can be just the beginning of a process that can involve, well, passwords. At various points in the login process—starting with unlocking the phone itself—it’s possible to prompt users for a PIN, or a password, or to analyze their location, to make sure they’re not trying to log in from someplace that wouldn’t make sense for that person. It’s also possible to analyze a user’s actions to make sure they’re not behaving out of the ordinary, say by attempting to access things they normally wouldn’t.
One reason organizations might do all this is to determine whether a person is being coerced into accessing their account. Another is that sometimes employees go rogue, and a login system can be part of neutralizing an internal threat. As a result, Microsoft already does behavioral analysis of the more than 100 billion login events a day its systems handle, says Mr. Weinert.
Whether in the future companies will need to add yet more authentication factors to any given login process will all depend on how quickly hackers figure out how to defeat these new, stronger, passwordless login systems. “Some of my colleagues who are big security geeks are hearing companies talk about three-factor authentication, four-factor, and such," says Mr. Shikiar of the FIDO Alliance. But what matters most, for now, is that device-based authentication is leaps and bounds more secure than today’s password-based systems.
Passwordless systems will also create new kinds of inconveniences. For example, how do you retrieve a lost password if you never had one in the first place? If this process is too difficult, employees can get locked out of their accounts and be unable to do their work.
On the other hand, if an account recovery process is too easy, it can become another way to hack into systems. Many companies are discovering that their processes for handing out credentials in the first place are weak, says Mr. Weinert. “For a lot of companies, it’s that you call the help desk and claim to be the person," he adds. That opens up the possibility that attackers could sidestep even the most secure passwordless login system by simply convincing a human or some other system to enroll their own devices in the company system—no theft of credentials necessary.
The FIDO Alliance just rolled out its proposal for streamlining the process by which a device becomes a person’s means of logging in, which could help thwart such attacks, says Mr. Shikiar. This proposal involves automating the verification of images of government identity documents, but it’s just a first step. If hackers can no longer get in through the front door, as it were, attempts to get in through account recovery systems could become their next target.
Mr. Maor believes that passwordless login systems are better than what we have now, but that the ingenuity and motivation of hackers are bottomless. And that’s why today’s “passwordless" login systems could someday land us back where we started, entering more secrets that only we know—otherwise known as passwords.
“I have been doing this for almost 30 years now, and the reality is that for almost every solution we come up with, the balancing between security and usability means hackers can get in," he adds.