As a tradeoff for enjoying our digital lives, we’ve learned to live with password overload and even tolerate two-factor authentication.
But now, at long last, we’re on the brink of eliminating passwords altogether, once and for all.
A confluence of technical and social developments points to username-and-password logons becoming obsolete over the next few years. What’s more, this shift could very well kick into high gear as part of the solidifying of post Covid-19 business practices and online habits.
I had a chance to discuss this seminal transition with George Avetisov, co-founder and chief executive officer of HYPR, a Manhattan-based supplier of advanced authentication technologies. For a full drill down on our eye-opening conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.
Passwords have always been a big pain. They must be convoluted to be any good, which means they’re difficult to remember, especially since the average person has to juggle passwords to access dozens of online accounts. From a business perspective, managing and resetting passwords chews up scarce resources, and yet even with the best possible maintenance passwords are trivial to hack.
For most of the Internet era, we’ve learned to live with these tradeoffs. However, in the last couple of years the harm wrought by the abuse of passwords has spiked exponentially. The reason: credential stuffing. This is a type of advanced, brute-force hacking that leverages automation.
By deploying botnets pre-loaded with stolen data, credential stuffing gangs are able to insert stolen usernames and passwords into web page forms, at scale, until they gain access to a valuable account. Credential stuffing has enabled criminal hacking rings to turbo-charge their malware spreading and account hijacking campaigns. And when Covid-19 hit, these attackers opportunistically pivoted to plundering Covid-19 relief funds at an ungodly scale.
Meanwhile, credential stuffing has also enabled nation-state sponsored hackers to intensify cyber espionage and cyber warfare. This Sept. 10 report from Microsoft details how hacking groups backed by Russia, China and Iran are using such tactics to systemically meddle in elections and policy debates in the U.S. and across Europe.
Shifting the paradigm
The tech, cybersecurity and intelligence communities knew full well that the types of attacks we’re experiencing today – badness that pivots off the abuse of passwords — were inevitable. To the credit of the good guys, there has been a concerted, methodical effort to drive us toward a new paradigm: passwordless authentication.
Toward this end, along came the FIDO Alliance in early 2013. FIDO stands for Fast IDentity Online, a set of industry standards, akin to WiFi and Bluetooth. FIDO sets forth common biometric authentication protocols designed to foster the growth of an ecosystem of device manufacturers, software developers or online service providers all using FIDO standards.
FIDO was conceived as the cornerstone around which a new authentication paradigm would be possible, one in which the key step, granting access, gets executed on the individual’s device. This replaces the intrinsically weak practice of granting access based on affirming the correct match of a password stored on someone’s hackable server.
“Rather than storing passwords on the server, we’ve started moving authentication keys and credentials to the smartphone, making it much more difficult for attackers to go after these things,” Avetisov observes. “The attacker has to attack each device, individually, rather than focusing on one centralized target.”
It has taken a number of years to get everyone on the FIDO bandwagon. Google’s Android platform was a founding sponsor of the FIDO Alliance, so, of course, Apple went off and did its own proprietary thing for a while. In February of this year – as a global pandemic slammed the brakes on the global economy — Apple finally came around and embraced FIDO.
VPN attack surface
It’s notable that even without Covid-19 pressure was intensifying for Apple to join FIDO. As noted, credential stuffing has increasingly fueled home and business network attacks. Even more impactful, password manipulation has played into the steep rise in cyber attacks spurred by rising geopolitical tensions.
For instance, we know from a recent report from threat intelligence firm Clear Sky that in 2019, after the U.S. assassinated Iran’s General Qasem Soleimani, Iran made it a top priority for its hacking operatives to seek out and exploit unpatched vulnerabilities in corporate VPN systems.
Meanwhile, a hacker in August published a list of stolen usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. Threat intelligence firm KELA verified the authenticity of this list, which included last-used VPN logins and VPN session cookies.
Clearly password manipulation will continue to play a big role in the targeting of corporate VPN systems, both for criminal profit as well as for geopolitical strategic advantage. What has made this a much bigger exposure is that Covid-19 forced tens of millions of employees to have to logon remotely, via corporate-issued VPN, many of which aren’t rigorously secured. These are folks who otherwise would have been working on company premises.
“You’ve got employees who a few months ago, didn’t know what a VPN was; now their being forced to authenticate to a VPN every day,” Avetisov says. “When they get locked out, they use passwords . . . the attackers realize they can now go after a whole new attack surface. Both VPN usage and VPN attacks are way up this year.”
Given that the end to Covid-19 is not yet in sight, the uncertainty, going forward is considerable. I would not be surprised to see accelerating adoption of passwordless authentication as one result. The variables certainly are lined up. FIDO is in place, with both Google and Apple on board, and the tools and services to flip the switch are ready to go. Consumers are ready for this shift, as well. We’ve had several years to get comfortable with the first generation of touch and face ID-enabled services on our smartphones.
HYPR is well-positioned to supply the plumbing needed to rapidly expand the Passwordless ecosystem. Avetisov, a Brooklyn Tech graduate, and three other co-founders, started the company in 2014 to make use of the iPhone 5S’s fingerprint reader; they were able to land Mastercard as an early customer and later add CVS Health and Rakuten. HYPR has raised $37 million in venture backing and recorded 300% revenue growth between 20180 – 2019. The company today has 60 employees in New York City, Toronto and London.
Avetisov told me that early concerns about biometrics information being potentially abused by malicious parties appear to have waned. “A couple of years ago, this question came up much more often; today, we don’t really hear many complaints about biometric privacy concerns. They’re still out there, but the mainstream has just said, ‘Let’s go along with it,’
“I try to articulate to people, very simply, that, ‘Hey, you have a password, right? If I had your password, I could log in — as you — from any other country, on any other continent . . . but if you have a phone with a biometric, and the biometric is tied to that phone with passwordless authentication, it is much more difficult for me to attack you because I’d need your biometrics as well as physical access to your phone to do that.’ ”
We’ve all been exposed to password abuse far too pervasively, for far too long. Passwordless authentication is the long overdue solution. It’s a way to free up company IT resources, which can be put to higher use. And it meshes with how younger workers like to work and communicate.
This shift is gaining momentum. Tech research firm Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases – by 2022. I’m personally looking forward to it. I’ll keep watch and keep reporting.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/shared-intel-why-adoption-of-passwordless-authentication-will-be-soon-be-a-de-facto-practice/