Since the dawn of the Internet, passwords have been the primary authentication factor for accessing online accounts. Yubico’s recent Global State of Authentication survey of 20,000 employees found that 58 percent still use a username and password to log in to personal accounts, and 54 percent use this login method to access labor accounts.
This is despite the fact that 80 percent of current breaches are the result of login credentials being stolen in attacks such as phishing. Because of this, security experts consider passwords to be the most insecure authentication method leaving people, organizations and their employees around the world vulnerable to increasingly sophisticated modern cyber attacks such as phishing.
In fact, even passwords that websites consider “secure” (i.e., containing more than a dozen characters made up of upper and lower case letters, numbers, and symbols) can be easily guessed or stolen by bad actors. Once they get the password, they can bypass all legacy multi-factor authentication (MFA) systems and access people’s personal data with ease. Combined with the fact that people tend to reuse passwords across multiple accounts, giving hackers the ability to breach multiple accounts with a single login, it becomes abundantly clear that passwords as an authentication method are flawed and extremely unsafe in countless ways.
Surprisingly, there remains a lack of awareness about authentication best practices: According to the same Yubico survey, 39 percent of people believe that a username and password is the most secure form of authentication, while 37 percent consider mobile SMS one-time passcodes (OTP) to be the most secure form of authentication. ) the most secure authentication method. While any form of MFA is superior to relying solely on a password, it is important to recognize that not all MFA methods offer the same level of security. Traditional MFA techniques, including SMS-based OTPs and mobile authentication apps, have significant vulnerabilities, and cybercriminals show the ability to easily bypass them through phishing attacks.
As people and organizations become increasingly aware of the cyber risks associated with passwords and legacy MFA, enterprises have begun to abandon outdated authentication methods and move toward more robust and resilient cybersecurity technologies, in in the form of passwordless and phishing-resistant solutions, such as passcodes. .
Regional Director United Kingdom and Ireland at Yubico.
A future without passwords with access codes
Understanding the risks that come with passwords, organizations and individuals around the world are looking for a solution that provides greater security and a better user experience. Passwords have taken the world by storm as the de facto authentication solution in apps and websites to replace passwords, helping both individuals and businesses achieve this easily. Access keys seamlessly authenticate users by using cryptographic security “keys” stored on their computer or device. They are considered a superior alternative to passwords, as users do not need to remember or manually enter long sequences of characters that can be forgotten, stolen, or intercepted.
As passwordless-enabled FIDO credentials, passkeys offer phishing resistance and speed the move away from problematic passwords that can be easily breached. Passwords are used to log into applications and services efficiently and securely, thereby improving both productivity and online security. For example, access keys require verification of possession as well as the physical presence of the user during the login process, effectively protecting them against interception or theft by remote cybercriminals.
Beyond improved security, accessibility is also significantly improved through the use of a passkey, highlighted by two different forms of passkey options: authentication protocols can be stored in the cloud (synchronized passkey) or on a device as a hardware security key (access key linked to the device). ). It is then effortlessly exchanged upon login using a swipe, tap, tap or biometric gesture.
From a security perspective, passkey login makes it much more difficult for malicious actors to exploit credentials and gain unauthorized access because it uses public key cryptography based on mathematical principles. They can also be conveniently and securely stored in hardware security keys, offering a higher level of security by preventing the access key from being copied or shared across the cloud and other devices. However, each passkey option brings different benefits and it is important to understand which type is right for your situation and threat model.
The Right Password Strategy for You
First, it’s important to differentiate between synced and device-bound passcodes. Synchronized passkeys are designed primarily for widespread use by consumers, rather than businesses, and are stored in the cloud. This means that credentials can be copied to all devices connected to a user’s account. For individuals and families who share devices and accounts, this can be a huge advantage. However, for organizations, this can create some worrying points of failure and expose major flaws in key business scenarios, such as remote work and supply chain security.
Device-linked access keys offer greater manageability and control over your FIDO credentials than synchronized access keys, making them more suitable for security-savvy and high-risk individuals, as well as businesses. Device-bound means that authentication must originate on a particular piece of hardware separate from everyday devices, where the passkey cannot be copied or shared. Despite the lack of flexibility that comes with having to register each device separately, these solutions offer a greater guarantee of security, since the only authentication method is to have a specific device previously registered.
However, even within the device-bound passcode options there are important differences: some options are found on general-purpose everyday devices, such as smartphones and laptops, and others reside in hardware security keys, which are recognized that offer the greatest guarantee of security. Hardware security keys equip organizations with reliable credential lifecycle management and the testing necessary to validate the security of their credentials, ensuring businesses can achieve optimal security and remain compliant with the most rigid requirements. in different industries.
In cybersecurity, it is imperative to find a balance between accessibility and security, and it is no different when considering access keys. Businesses should opt for a password solution that provides equal parts security and convenience. The solution should improve the security of online accounts and sensitive data, as well as protect users and the broader organization from phishing and unauthorized access, while allowing employees to take advantage of a better login experience. perfect session.
As we navigate the ever-evolving cybersecurity landscape, the integration of passwordless authentication, particularly through the widespread implementation of passcodes, will prove critical to protecting our digital identities and securing the systems and services that are part of it. integral to our daily lives.
We have presented the best protection against identity theft.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, learn more here:
