Is the future passwordless?

Passwords are an essential line of defence against cybercrime but getting them right – and remembering them – is a nuisance. 

Furthermore, passwords are not entirely secure, with research from the World Economic Forum finding that four out of five global data breaches are enabled by weak or stolen passwords. 

Passwordless access technology is on the rise and could help businesses make devices, websites and applications more secure, security experts and network data say. 

Tech giants go passwordless

Technology companies, including Apple, Microsoft and Google, are increasingly offering passwordless access for their devices and applications. 

Microsoft started offering passwordless access to its applications in 2021. Users can completely remove the password from their Microsoft account, deploying any of several commonly used authentication methods instead.

These include the Microsoft Authenticator app, which users download onto their smartphones. It provides them with a one-time passcode to use instead of an enduring password. 

As a second step, the app sends a “push approval” to the user’s smartphone, requiring them to confirm that they are trying to log into their Microsoft account.

Another password alternative is Windows Hello, which provides access to Windows 11 devices using a PIN, facial recognition or fingerprint. There is also the option to use a security key – a device that produces a one-time code to log in – or to have verification codes sent to the user’s phone or email.

The perks of going passwordless

Before choosing to go passwordless, organisations may introduce new policies to try to make passwords stronger. 

According to Nigel Phair, enterprise director with the Institute for Cyber Security at UNSW Canberra, these policies can sometimes actually make organisations weaker.

For instance, some organisations require staff to regularly change their passwords. While many companies have protocols to prevent password “weakening”, some allow staff to cut corners. 

For instance, their password for March might end in the number 3, and when they have to change the password in April, they’ll use the same password, but change the last number to a 4, Phair says. 

Other companies have opted out of password-changing requirements in favour of getting staff to use a long password of 25 characters, phrased as a sentence, that they keep secure.

“People invariably have weak passwords, and people invariably use their passwords across multiple log-ins,” Phair says. 

Another vulnerability is the huge number of unique passwords users need to remember. Although many people get around the problem with a password manager – a software application designed to store and manage online credentials – this doesn’t eliminate the risk of passwords being guessed, hacked or stolen.

Craig McDonald, CEO and founder of Australian email security company MailGuard, says one of the primary benefits of passwordless access is improved security. 

“By eliminating the need for passwords, you also remove one of the most common attack vectors for cybercriminals,” he says.  

“Access methods like biometrics or cryptographic keys are unique to each individual, and are therefore more difficult to replicate, whereas passwords can easily be guessed, cracked through brute force attacks, or stolen in phishing scams or data breaches,” McDonald explains.

McDonald advises businesses to use passwordless access where possible, because it will provide them with a higher level of security and reduce the likelihood of successful attacks.

Excerpt from article by Christopher Niesche from In the Black (CPA Australia), read the full article here.