Passwords: a thin line between love and hate

Unless you have been gifted with a photographic memory, this is likely going to sound very familiar. Picture it: You’re away from your desk and you need to access one of your apps from your phone. You attempt to sign in and get the dreaded message: “the username and password entered do not match our records.” Thus begins the time-consuming process of requesting a password reset, including coming up with a new password that doesn’t match something you’ve already used in the past. Despite the frustration you feel, passwords have been the cornerstone of keeping our online data secure for decades. In today’s digital landscape, however, we need more than passwords. Here’s a look at some of the key reasons why:

Vulnerability to cyberattacks

• Passwords are frequently targeted by phishing attacks, brute-force attempts, and credential stuffing.
• Stolen passwords are often sold on the dark web, putting sensitive information at risk.

Human limitations

• People struggle to remember complex passwords, leading to weak or reused credentials.
  • With advancements in AI, hackers can guess passwords faster and bypass traditional defenses.
• Common passwords like 123456 or password remain pervasive despite awareness campaigns.
  • Password managers, though helpful, aren't foolproof and can be compromised.

User frustration

• Password resets account for a significant share of IT help desk requests, creating frustration for users and costs for businesses.
  • “We’re reaching out to let you know that you haven’t updated your Dropbox Password since mid-2012, you’ll be prompted to update it next time you sign in. ...” - Dropbox Forces Password Reset for Older Users

Data breaches

• In 2023 alone, billions of credentials were leaked globally due to weak or reused passwords, becoming a year of record-breaking data breaches.
  • Enterprises spend millions annually on password-related issues, including resets, support and security measures. According to IBM, the average total cost of a data breach is $4.88 million.
• Reports show that over 65% of hacking-related breaches involve compromised credentials.

Passwordless authentication

Passwordless authentication can be used as a method of verifying a user's identity without relying on traditional passwords. Instead, it uses other forms of verification, such as:

• Hardware tokens: security token or smartphone.
• Biometrics: fingerprints, facial recognition or retina scans.
• Special links: links shared with the user that log them in automatically.
• A combination of all forms of verification.

Passwordless authentication methods typically rely on public-key cryptography infrastructure where a pair of keys are generated. The security of public-key cryptography depends on keeping the private key secret, while the public key can be openly distributed without compromising security. Thus, the public key is provided during registration to the authenticating service (remote server, application or website) while the private key is kept on a user’s device (security token, smartphone) and ideally can only be accessed by providing an additional authentication factor (PIN, biometric).

How passwordless authentication mitigates common cybersecurity threats

The main problem associated with password reuse is credential stuffing, and it involves reusing the password obtained from a data breach from one site to try and access accounts on other sites. Users typically reuse passwords across multiple sites, thus one breach could compromise all their accounts. In passwordless authentication, passwords aren’t used, thus users can’t be subject to credential stuffing.

Phishing is a form of social engineering as well as a scam where attackers deceive people into revealing sensitive information. For the use case we are dealing with, this sensitive information would be an authentication factor such as a password, the hardware token or the log-in link. As you can guess, in a passwordless workflow, the password doesn’t exist, and users are also quite reluctant to share their security keys or their biometric data.

A brute-force attack is like a digital battering ram—attackers attempt to gain access to an account or system by trying every possible password combination until they find the right one. It's a method of trial and error, relying on sheer computational power rather than any sophisticated trickery. In a passwordless environment, such attacks are almost ineffective because public key cryptography is much more difficult to break than a password due to the computational effort needed for a brute-force attack to succeed. In addition, having more than one authentication factor, such as a biometric scanner or a security key, makes it virtually impossible for such attacks to happen.

In summary, many of the attacks that could occur in a password-based environment are minimized, or even eliminated, if we use a passwordless authentication workflow.

Why move from password to passwordless?

There are several reasons to make the move to passwordless authentication. In fact, some large companies like Mastercard have already spoken about their intent to move to a passwordless model and use biometrics instead. As organizations begin to analyze whether to make the move, the key benefits fall into the following categories:

Enhanced security

• Passwordless methods (biometrics, passkeys or hardware tokens) eliminate vulnerabilities like phishing and brute-force attacks.
• Relying on more secure systems, such as public key cryptography, nearly impossible to crack.
• Authentication shifts from relying on passwords to using the individual's unique physical or behavioral characteristics, such as their fingerprint, face or voice, to verify their identity. In other words, a person’s inherent traits, rather than a memorized password, serve as the key to access.

Better user experience

• Users no longer need to remember multiple passwords or go through reset or rotation password processes.
• Authentication becomes faster and more user-friendly, improving satisfaction and reducing churn.
• Surveys show that users prefer passwordless options, such as biometrics or device-based authentication, due to convenience and security.
• Users are more likely to trust a system that ensures their data is safe without relying on them to create secure passwords.

Industry adoption

• Regulatory bodies, like NIS2, emphasize stricter security measures, often recommending alternatives to passwords.

Why take a layered approach to security?

The challenges of identity management and access controls are not solved by one approach or single solution alone. Instead, it’s important to take a layered approach, often achieved through a collection of tools and solutions working together. In the case of passwordless authentication, it can be further enhanced by using Multi-Factor Authentication (MFA) and Single Sign-On (SSO). Let’s explain these terms before going into more detail on the reasons why.

What is MFA?

MFA is a security system that requires more than one method of authentication to verify a user's identity. Instead of relying solely on a password, MFA uses a combination of two or more of the following factors:

• Ownership factors (“Something the user has”) such as a security token, a phone or a smartcard.
• Knowledge factors (“Something the user knows”) such as a password or a PIN.
• Inherence factors (“Something the user is”) like fingerprints, retinal scans, face or voice recognition and other biometric identifiers.

What is SSO?

SSO is a user authentication process that allows you to access multiple applications or services with one set of log-in credentials. Rather than logging into each service separately, SSO provides a unified log-in experience. It provides more streamlined access, as once the user is authenticated, they can access all associated services without re-entering their credentials.

Unlock security: passwordless+MFA+SSO

By eliminating traditional passwords, you bolster protection against breaches while streamlining the log-in process. Integrating MFA adds an extra layer of security, ensuring that only authorized users gain access. Meanwhile, SSO enhances the user experience by allowing simpler access to multiple applications with just one login. Together, these technologies provide a robust and user-friendly solution for the modern security landscape.

For organizations seeking to strengthen their security posture and simplify user authentication, Identity Management in Red Hat Enterprise Linux is equipped with a range of features designed to enhance security and improve the user experience by offering multiple MFA and SSO options. Passkey provides a modern and secure approach to authentication using FIDO2 devices. Smartcards, based on the established PIV standard, offer another layer of security. Furthermore, its External Identity Provider (EIdP) capability allows for streamlined integration with external identity providers such as Red Hat Single Sign-On, Microsoft and Google, using the widely adopted OAuth2 protocol.