The Verizon Data Breach Investigation Report stated that over 80% of breaches occurred from malicious hacking that involved brute force or the use of lost or stolen credentials. There has been several password alternative options over the years, so which option is better? Password or passwordless authentication.
First, lets talk about what password authentication is. According to Tech Target (2023), password authentication is the most common authentication method that uses a person’s username and password or PIN for access. It is also the easiest method to abuse. When people create passwords they tend to reuse passwords and create passwords with dictionary words and public information. Reusing and creating guessable passwords only make accounts more susceptible to a phishing or brute-force attack. Next, we will discuss passwordless authentication.
Passwordless authentication is the opposite of password authentication. According to Beyond Identity (n.d.), passwordless authentication was created to eliminate the number one weakness in security, passwords. Passwordless authentication is a form of authentication that does not use a password what so ever, not as a alternative or a back-up either. Passwordless authentication can protect against login credentials being stolen or leaked. Passwordless authentication prevents one from having to remember a password or having to follow a password policy.
Passwordless options uses ones identity without the use of a password. In place of a password one uses something they have (like a mobile device) or something they are (like a fingerprint). When the person requests access, a new authentication message is generated. The technologies rely on biometrics and a Trusted Platform Module (TPM). The data within the TPM uses a private cryptographic key and some models use Transport Layer Security (TLS) to ensure the data exchanged within servers stays private and secure.
Other options to use with passwordless authentication include multi-factor authentication (MFA) and single sign-on (SSO) to help increase security strength and reduce the need to reset passwords. So, does this passwordless method work better than using a username and password? I think it is a personal preference. Since passwords rely on a person’s memory of something they know. Systems are now depending on one another to make decisions without a password. Lets say a TLS certificate expires on accident or the TPM chip goes bad or creates error messages then time will be loss between the time to fix either issue and work is now reduced. Whereas using a password model one uses something someone knows and has or are instead of relying solely on technology to be the authentication method for the needed access. Using MFA is not 100% the best option because it has its flaws too but, it seems to be a better option since authenticating with MFA doesn’t have to occur every single day. Also, what is the back-up option for passwordless if back-up passwords or other options are not used? Based on research so far, the prediction is that passwords will stay around even if they are used only as a back-up to the passwordless option but, passwords will never truly go away and they will rely on password policies. So, is passwordless really a reliable thing?
References:
https://www.beyondidentity.com/resources/passwordless-authentication
MillerOnCyber 