Cybersecurity: passwordless is the new frontier
By: Igor Meltser – Vice President, Global Technology Solutions and Services, Sphere Partners
Ransomware is endemic
Cybersecurity is no longer just a business matter. The awareness is expanding to our everyday life via news reports, radio briefings and public service announcements. Like COVID-19, ransomware is now endemic, and it is here to stay.
The ongoing war in Ukraine has brought to light the sophistication and structure of organized crowdsourced IT armies coordinating attacks against media outlets, financial institutions, public utility companies and the private sector. Significant increase in such warfare is ongoing between Russia and Ukraine, though internet sensors are showing more and more such activity across the globe.
At a recent Cybersecurity Summit, I listened to countless industry insiders and the FBI Cybersecurity Task Force talk about how the NDR (network detection and response) framework continues to be most effective. It is however evolving to become agentless, as more of our everyday devices are becoming “smart”, furthering integration points, self-discovery services and similar ease of use approaches expanding our attack surface.
Do passwords work?
Is there an authentication system which can’t be hacked? For years, we have been conditioned to create complex passwords and change them often. But, is a system which was created in the 1960s going to keep us safe and secure in a digital world? Is that really the best we can do?
Passwords, in all forms, are a 60-year-old archaic and outdated technology. Over the years, we have coined new terms like “shared passwords”, “password breach”, “hashed password”, etc., all stemming from the concept of some characters or phrases being the keys-to-the-kingdom. Nowadays, a password alone provides a false sense of security, and the industry knows this.
Enter 2FA and the ability to send an SMS code to a phone. 2FA is another layer for the platform to confirm the identity of a user, but just as fast as it was introduced, it became outdated. 2FA leads to SMS attacks, SIM hijacking and SIM cloning. Yes, it made it more difficult to the average bad actor, but it is not secure.
The era of passwordless
So, if passwords aren’t innately secure, the next step is simply to get rid of passwords, right?
Ultimately, passwords don’t prove the identity of the person entering it. All they prove is someone or something entered the password correctly. A compromised password is therefore a compromised identity.
Enter the concept of passwordless authentication, the next generation authentication concept properly leveraging the pervasiveness of biometric sensors in combination with security hardware in a zero-trust environment. According to a 2019 Gartner publication, up to 90% of MSE’s (midsize enterprises) are working to implement passwordless identity management for their most common use cases.
Humans are the vulnerability in every system we touch. We are not designed to remember complex numbers and passwords. So we write them down, store them in a digital password manager, which itself is protected by a password, and nothing else.
Alternatively, by doing away with passwords:
- There are no more phishing attacks, as there is nothing to phish for.
- There are no more malware keylogging attacks, as there is no password to capture and steal.
- There are no more credential stuffing attacks as there are no more username/password combination sets to be tried against websites.
- There are no more network sniffing attacks as there are no more usernames or passwords being transmitted over the network and internet, securely and in clear text.
- There are no more password brute-force attacks as there are no more passwords for the bots to try, using dictionary words appended with a sequence of numbers and special characters.
So now is the time to go passwordless. Internet pioneers such as Microsoft, Google and Amazon have already shifted towards passwordless for access to their environments, creating tools and standards for a new and modern approach to identity and authentication management.
For the latest and greatest in passwordless, or if you have any questions, feel free to reach out! You can find me on LinkedIn, or contact us via our website—let me know you’re looking to talk about passwordless, and let’s chat!