As humanity further progresses in the digital era, computer passwords, which were used to ensure our security on the world wide web have become liabilities. Passwords are weak links that are often targeted by cybercriminals. From time to time, we hear about massive breaches which compromise millions of user passwords from big platforms. The era of passwords is at its dawn, and authentication methods are evolving to eliminate the source of weakness—passwords.
Passwordless authentication is a verification process that does not require users to manually enter a string of characters. Authentication methods to replace passwords may include biometrics, email-based, SMS-based, multi-factor, push notification or physical security tokens.
How are passwords compromised?
Before getting a full understanding of the safety and security of passwordless login, it is helpful to know how passwords are getting hacked on the web. Here are some common password-hacking methods employed by criminals:
- Phishing- Usually done by imitating authoritative platforms or friends and colleagues of the target. This is among the most successful form of acquiring credentials via internet and is typically done through email or other online messaging apps.
- Brute Force Attack- This involves repeated login attempts to guess a password with every possible letter, number, and character combination using a hacking tool. The longer and more complicated the password is, the longer the time needed.
- Dictionary Attack- Attempts to access accounts using commonly used passwords from lists and dictionaries or user-generated passwords obtained from large breaches.
- Rainbow Table Attacks- This allows hackers to break passwords with relatively high complexity. It uses huge data sets with precomputed hash values to recover passwords from their cryptographic hashes to plain text.
- Social Engineering- In this method, cybercriminals manipulate their targets into disclosing their login credentials under the guise of a credible identity. For example, the victim’s internet service provider or bank customer service.
- Malware Attack- Some unassuming website content or message might contain hidden malware planted by hackers. Malware attack utilizes a keystroke logging program that can record and capture passwords as they are keyed in a device.
Is passwordless authentication secure?
The above list is just the tip of the iceberg of the dangers posed by passwords. Taking passwords out of the picture improves both user experience and security of logins. However, to answer the question of how secure passwordless authentication is, it would depend on the authentication proofs needed in place of the passwords, how they are implemented, and what your threat model is.
Authentication with email and SMS is very similar to common ‘Forgot Password’ directives. The website or app sends a magic link or one-time code which becomes your live identity token. The vulnerability of this method comes with the weaknesses of the email and SMS systems.
Emails, especially between mail servers, are not widely encrypted. This means that there is a possibility that your tokens might get intercepted. This is why identity tokens should expire in a short amount of time to avoid misuse. On the other hand, a phone number can simply be booted to a separate phone controlled by an attacker. This way, your SMS can easily find their way to the hacker’s device.
Compared to email and SMS, using push notifications from your smartphone, tablet or other devices is more secure. Using this method, you are required to download an app on your device. When you log in using your computer, a notification will pop up from your phone: “Do you want to log in to XXX from XXX? Yes/ No.” The challenge is, you still need to establish your identity in one device.
A physical identity key in the form of a keychain-like USB device or other similar tools is another method. You only need to plug it to your computer during login, no need for magic links or OTPs. The downsides of physical keys are, they can be misplaced or stolen. Or worse yet, they can be forgotten in the computer, leaving your account open for anyone.
Another method is using your biometrics, such as your fingerprint or face scan. Because your biometrics are only yours and is allegedly ‘hard to steal;’ this is among the most popular passwordless login methods. The hackers’ answer to that–fingerprint lifting and fake 3D mask. Though this would require more effort and resources for the attackers, if your threat isn’t just some random mass skimmer looking for a bulk of data and is specifically targeting to you, resources are not a problem. The bad news is, unlike OTPs and links, your biometrics don’t expire. A single credential theft will compromise you for a lifetime.
Compared to other login alternatives, passwordless authentication is a lot more secure. It eliminates passwords as attack vectors for hackers. However, it is also not a perfect solution. The best defense is to practice security in depth by layering your safety measures.
Our Passwordless solution
Try TraitWare, an adaptable security solution which combines multi-factor with a unique passwordless authentication using your mobile phone or other devices. TraitWare uses the biometrics of your mobile phone to turn your mobile device into your physical key. Because your phone biometrics constantly changes, so does your password. TraitWare also has a powerful admin interface to monitor logins and multi-factor which supports up to four-factor authentication.