Passwordless vs Passwords: Stopping identity-related breaches

Identity management is still key to stopping cyberattacks in 2023. 84% of organizations were hit with an identity-related breach last year, up from 79% the year before. And of the businesses, the majority (96%) said they could have prevented or minimized them by implementing identity focused security outcomes.

Those are some pretty stark numbers, courtesy of the Identity Defined Security Alliance (IDSA). But no matter who you consult, it’s a similar story. According to Verizon, 61% of all breaches involved compromised credentials. The Federal Trade Commission? 1.1 million reports of identity theft were reported to them in 2022, with consumers losing more than $8.8 billion to fraud — more than 30 percent over the previous year.

The top identity-related breaches as seen in IDSA’s 2022 Trends in Securing Digital Identities report

So what’s the cause of all this surging identity theft?

There are a number of potential causes: cloud adoption is on the rise, there’s more remote and hybrid workers, and the rise of IoT devices means there’s a ton more endpoints to handle. 

There’s also just generally more identities for experts to keep track of — 98% of identity and security professionals say they’re managing more human and machine identities than ever — and those they are handling are more complex.

The end result? More identity attack vectors, more attacks, simple math.

Passwords are an old idea, predating computers by a long shot. Roman sentries would challenge people wanting to enter an area with a watchword, and only allow them in if they knew it. When the guards exchanged shifts, they’d exchange a wooden tablet with the watchword on it, so the next person knew what the password was. The person in charge would get the tablet at the end of the night, so they’d know it had passed safely between every guard, without being intercepted.

Passwords have changed, but the essential flaw remains the same: most machines take the words you typed, turn them into a one-way hash, and put it in a database.

As Mark Twain famously said, “Two people can keep a secret, if one of them is dead.” After the first computer password was proposed in MIT in 1960, it took all of two years for the first password theft to happen, though as a research experiment. Much like stealing the tablet, Alan Scheer printed the system’s password file, allowing him to log in as other users. 

Of course, they can always just guess the password — the easier the password is, the easier it is for the attacker to guess, reducing security. But increasing the complexity also can reduce security, because the user might write it down, reuse it in multiple places after proudly memorizing it, or have to reset it all the time. Cue obligatory XCKD comic:

Still, even memorizing “correcthorsebatterystaple” is an ask of users, and it’s still vulnerable to phishing, something that 59% of organizations experienced last year. In response to these sort of attacks, most people implement multi-factor authentication (MFA) (43%) or review privileged access more often (41%).

But some security professionals are asking the question: “What if we just went without passwords, and did something new? What if we can do better than Roman soldiers?”

Enter “Passwordless solutions.”

It’d be misleading to spin passwordless as something new, since the claim “passwords are dead” has been made since at least 2004. But the security solutions have expanded since then, to include things like biometrics, single-sign on, Fast Identity Online (FIDO), and others.

FIDO, for example, uses standard public key cryptography to enhance user authentication. When a user registers with an online service, the user’s client device creates a new key pair, with the private key being retained on the device and the public key being registered with the service. The client device authenticates the user by demonstrating possession of the private key, which it does by signing a challenge sent by the service. The private keys are only accessible after local unlocking on the device by the user via a secure and user-friendly method such as a PIN, biometric scan, or other similar action.

Diagram courtesy of the FIDO alliance.

Furthermore, FIDO has been designed to safeguard user privacy. The protocols do not disclose any information that could be used by multiple online services to track or collaborate on the user's activity. Additionally, if biometric data is utilized for unlocking purposes, it remains on the user's device and is never transmitted to the online service, thus helping the data remain private.

Excellent question. Despite people clamoring for the death of passwords, they’ve kept around for three reasons:

• They’re cheap

• They’re convenient

• They’re immediate

Also, almost everyone uses passwords. Even though passwordless solutions often beat passwords in terms of security, and sometimes in useability, the deployability is almost always worse. Transitioning from traditional password-based systems to passwordless authentication may require significant changes in infrastructure, user education, and support, which can be time-consuming and costly, which is why organizations just opt for the tried and “trusted” approach. Still, not very good reasons. At minimum, MFA should be the starting point and is already a standard offering on most cloud platforms.

Time will tell if there’s an industry shift towards passwordless solutions, perhaps spurred by the rise and prevalence of identity-based attacks. As the friction points for deployability and cost lessen, we may see more widely adopted solutions. Biometrics options already exist on many devices, like mobile phones, and there are a number of commercially available solutions like Duo Security, AuthN, and others. After all, the field of cybersecurity is always evolving, both in threat and response.

In the interim, I’d make sure to brush up on privilege management, as strategies such as continuous discovery of all access user rights, the Principle of Least Privilege, and timely reviews of sensitive data and privileged access have all been proven effective at helping prevent identity-based breaches and mitigating identity attack vectors. 

If you're interested in minimizing your organisation's risk of identity-related security breaches, here are some further resources that can help you out.

• John Elliott's course "Cyber Security Essentials: Your Role in Protecting the Company" has a whole section on the theft of digital identity, including phishing, 2FA, MFA, password hyene, password managers, and more. He's a cybersec veteran who represented both Visa Europe and Mastercard on the PCI Security Standards Council, and contributed to many of the PCI standards including PCI DSS v4. He's also done a hands-on lab where you can assess your password policy compliance.
• Richard Harpur's article "New normal: Today's best practices for passwords" offers some great dotpoint tips on password best practice organisations should be ticking off. Richard is ranked in Ireland's top 100 CIOs, and writes extensively on technology and security leadership.
• For those whose job involves dealing with cloud-based infrastructures, there are a number of certification prep courses which cover how to handle identities, access, roles, policies, and more.
  • For AWS users, check out the AWS Certified Security – Specialty (SCS-C01) prep course. Andru Estes has written a brilliant article on why this certification is worth getting.
  • For Azure users, check out the AZ-500 Microsoft Azure Security Technologies prep course.
  • For GCP, A Cloud Guru offers a complete learning path on GCP Security, where you can start wherever your skill level is at (Novice, apprentice, practitioner, professional, or guru).
• For software developers, we recommend checking out the course on "Software and Systems Security for CompTIA CySA+", which covers authentication and password management for secure coding.