Nearly twenty years ago, Bill Gates declared passwords dead during a now-famous RSA keynote presentation. Unfortunately, password sprawl has continued since then, with some individuals amassing hundreds of passwords and many using the same ones across work and personal apps. In our recent survey, users divulge some of their bad password habits.
Passwords are a fatally flawed authentication mechanism that traces back to the 1960s. This fact has become nearly self-evident as ransomware attacks multiply, with attackers exploiting previously stolen passwords or using brute force attacks and credential stuffing against RDP and other remote access tools to gain a foothold on victim networks. Further, the sheer number of data breaches where passwords were the root cause was on conspicuous display in the 2021 Verizon Data Breach Investigation Report, which noted:
- Passwords caused 89% of web application breaches, either through stolen credentials or brute force attacks.
- 61% of all breaches exploited credential data via brute force attacks, credential stuffing attacks, or credential data leaked and used later.
Multi-factor authentication was introduced to address the password deficiency, but serious user friction with legacy MFA approaches significantly thwarted adoption. However, as we detailed in a previous blog, legacy MFA, which relies on passwords and other weak authentication factors, such as one-time passwords sent over insecure channels, has proven to be less than ideal from a usability and security perspective.
Where Is Modern Authentication Headed?
A few key trends will drive requirements for modern authentication. As noted earlier, the need for improved security amidst the onslaught of password-based threats and vulnerabilities with existing “legacy MFA” approaches will play an important role.
CISO’s interest in security tools that enhance the user experience rather than continuously adding new hurdles that users must overcome will also be a factor. Usability issues with legacy MFA solutions need also to be rectified. IDC notes that MFA adoption rates are in the low thirty percent range.
Another important trend is the rapid adoption of cloud applications and the increasing use of other cloud-based resources (IaaS, PaaS, etc.). With this massive change in computing, the traditional network-based perimeter disappeared. The endpoint device and user identity have effectively become the new cybersecurity perimeter.
Concurrently, we have seen a permanent shift to hybrid working environments. In the post-pandemic era, some organizations are using a fully remote model, while others are adopting a hybrid approach.
Lastly, the move to a zero-trust security model, along with the trends above, has spawned new requirements for a modern authentication solution.
- Strong, passwordless, and multi-factor: the future of strong authentication is passwordless authentication. But not insecure “passwordless” solutions that only hide the password from the user but still use it behind the scenes (e.g., password managers, browsers with PW autofill capabilities, etc.). These solutions will replace the password with a cryptographically sound authentication method and only employ strong authentication factors (e.g., biometric authentication built into modern devices and PIN codes that are stored locally have anti-hammering protections to thwart repeated guessing attempts.)
- Frictionless user experience: eliminating the password removes some of the aggravation-creating longer/stronger passwords and then changing them frequently. But we also believe that the authentication flow itself must be streamlined. It will ideally require only a single device to complete, rather than forcing users to fish a one-time password out of their SMS on their mobile phone and typing it into the login window.
- Device trust: with the user identity along with the endpoint becoming the new perimeter, it is vitally important to ensure that a) only approved devices are allowed, and b) the device has the required security controls configured and working prior to accessing critical resources and data.
- Continuous risk-based authentication: in keeping with the fundamental tenet of zero trust, modern authentication will eliminate transitive trust and ensure that every identity and every device is checked continuously, and that granular access policy is enforced during each and every authentication transaction.
- AI and machine learning to detect nefarious authentication: in the near future AI/ML techniques will be utilized to identify, alert on and even block suspicious authentications. This will range from spotting anomalous behavior from a single individual to a set of authentication requests that as a group raise suspicion.
Nearly twenty years later, it is finally time to kill the password and usher in a new era of strong, user-optimized authentication. While zero trust is a security model, not a single product, modern passwordless MFA that also establishes trust in the devices before granting access is a fundamental building block and starting point for the zero trust journey.