Despite being a common occurrence, when user accounts are compromised there is usually no immediate evidence of a cyberattack. In fact, rather than an obvious incident impacting an application or server a website is hosted on, user passwords can be silently hijacked from previous data leaks. Once a hacker has access to an account, they may proceed undetected and there’s no guarantee the owner will be aware or informed until tell-tale damage is done, says Aubrey Turner, executive advisor at Ping Identity.
Studies have repeatedly shown that a large majority of data breaches can be linked back to poor authentication practices, of which weak passwords are undoubtedly a symptom, but even strong passwords may be compromised by phishing assaults. Despite the fact that password security is frequently misused, it is still the most common and widely used mechanism for authenticating people and securing information. When bad actors try to sneak in, they don’t have to send off any alerts, making it easier for them to make extensive use of your account.
As a result, coming up with a new password is no small task in today’s world due to complex password policies. Although it’s safe to say that password managers have made this slightly easier to manage, businesses invest time attempting to come up with the perfect password just to have it hacked or for human nature to take over and reuse it across logins.
As the world becomes more digital, passwords aren’t scaling as an effective security mechanism. In a survey conducted by the National Cyber Security Centre, 42% of Britons said they anticipate losing money as a result of cybercrime, and this has increased by 600% since the pandemic. Businesses have addressed the symptoms of password compromise by implementing complicated password policies, but this hasn’t actually remedied the breach problem.
So, even though we still rely on passwords a lot, is there a way to strengthen, shore up, and support them to make them harder for bad actors to use to gain access?
Compromised passwords lead to data breaches
Password authentication does not have a rigorous identity check in general, and because passwords may be used by anybody, hackers can easily get access to your account. According to the Verizon 2021 Data Breach Investigation report, passwords caused 89% of web application breaches, either through stolen credentials or brute force attacks. Hackers go after passwords, especially those with privileged access to business systems and networks. Hackers can use vulnerable credentials to gain access to data repositories which they can exfiltrate or disrupt business by holding them hostage for ransom demands.
For the most part, passwords are reused across different devices, apps, and websites. According to a recent SailPoint study, some 75% of consumers use the same login credentials for both their personal and professional accounts. In a family of four, three of them fall into this category. The most prevalent justification for repeating passwords is the desire to avoid having to keep track of a large number of different (complex) passwords. An attacker may get access to your networks and accounts by exploiting a single human frailty. These are some of the same related weaknesses that make social engineering exploits successful hacks. Using the same email, username, and password for all of your accounts gives them convenient access to all of your personal information.
Now is a good time to mention that using password management software is one of the best solutions to this current problem. Different user credentials can be stored in a secure database in a password manager, which is accessed by a master credential.
Authentication: choosing the best solution
For the majority of businesses, the first-factor authentication flow authenticates through a server using a user’s login and password. Authentication’s purpose is to ensure that the person requesting to access a resource is who they say they are, and corporations have used a variety of methods to do so.
Two-factor authentication (2FA) double-verifies a user’s identity at sign-on using two separate processes. Multi-factor authentication (MFA) verifies digital users’ identities by requiring two or more pieces of authenticating evidence. The key is that each piece of evidence must be unique and from a different authentication factor (i.e., something only you know, something only you have, or something only you are/do). If one factor is compromised, another is unlikely to be. Multiple authentication factors increase user identity confidence and assurance.
As previously noted, weak passwords, reusing the same password across apps, storing passwords in unencrypted areas, and other practises make hackers’ jobs easier. These techniques help people remember their logins, but they invite hackers. MFA protects internal and external users from these vulnerabilities. An attacker may get your username and password, but they can’t access important data, conduct a transaction, or get into your laptop without another factor.
Additionally, MFA is a great way to facilitate corporate mobility, which is usually a top need for firms that are going through a digital shift. Organisations may keep their networks safe and their data secure by employing MFA to connect to corporate apps or the network through a VPN, allowing employees the flexibility of BYOD or to work from whatever location they choose.
What will authentication look like in the future?
The combined use of identity proofing, MFA, risk signals and passworldess authentication flows will become smarter and more intelligent to help discourage attackers. Security should be optimised through frameworks such as Zero Trust to reduce the chance of a breach. Passwords will continue to be part of authentication models for the foreseeable future; however, increasing the use of multifactor authentication is one way to help us eventually reduce our dependency on passwords, which will remain a feature of authentication models for the foreseeable future. Since 83.72% of the population owns a smartphone, according to Statista, the cost of implementing MFA has decreased and its practicality has increased.
When biometric identification first emerged on cell phones a few years ago, it made life a bit simpler. Unlocking your phone or laptop without a code is now the standard thanks to technologies like Apple‘s Face ID and Touch ID. When passwords usage is greatly reduced, biometric authentication, such as fingerprint, iris, face scanning or other behavioural biometrics, will most likely take their place, particularly as these technologies become more inexpensive and precise. No one can predict the future, but we can speculate. Cognitive authentication models will evolve but never truly disappear; however, it’s possible to see a future where our reliance on passwords is greatly diminished and perhaps, we don’t have to worry about remembering them at all because zero login (recognition) authentication techniques have become the norm.
The author is Aubrey Turner, executive advisor at Ping Identity.
Follow us and Comment on Twitter @TheEE_io