Beyond Passwords: A Better Way to Verify Users
There's just a few known problems with passwords:
- Easily phished & cracked with brute-force attempts (with the help of password-guessing tools), or stolen, if stored in plaintext or hashed
- Years of password dumps have created a handy dictionary from which attackers can use to attempt remote logins
- Puts security burden on users (hard to remember, make unique, know what the latest password security tips are - these are NIST’s recommendations)
- Proliferation of web apps requires a lot of passwords, making it hard to keep up with
- As a result, password reuse is very high, allowing an attacker to log into several accounts if they're able to breach just one
- The user experience is disrupted for the sake of password re-entry or account lockouts due to password failures
And of course, there’s that infamous Verizon Data Breach Investigations Report (DBIR) that we love to quote:
Eighty-one percent of hacking-related breaches leveraged stolen and/or weak passwords.
-- Stop the Pwnage: 81% of Hacking Incidents Used Stolen or Weak Passwords
As a result, the concept of passwordless authentication has popped up in the industry as a solution. These may rely on methods like biometrics (your fingerprint via a device like your smartphone), or unique passcodes sent via email or text message that you enter into a login form to verify your identity.
Other forms of additional authentication have been implemented to help address password-related risks - like the use of knowledge-based authentication (KBA). Commonly used by the financial industry, answering KBAs (with the help of zip code, birthdate or Social Security Numbers) can reset your account password, effectively allowing anyone into your accounts if they guess correctly or source the answers elsewhere on social media or in public records.
Modern, Secure & Easy Multi-Factor Authentication (MFA)
To move beyond passwords, modern and advanced multi-factor authentication (MFA) can provide not only more secure methods, but additional insight, policies and controls that work to strengthen your access security.
First, the MFA (also known as two-factor authentication) methods:
U2F: Security Tokens
Universal 2nd Factor is an open authentication standard developed by Google and managed by the FIDO (Fast IDentity Online) Alliance. A far cry from security tokens that generate codes users must type in, a U2F token comes in the form of a small USB device plugged into your laptop.
Once configured, you only need a supported web browser to log in - tap the device once to complete two-factor authentication and log in securely.
See U2F in action, with Duo:
In addition to usability advancements, a U2F device protects private keys with a tamper-proof component known as a secure element (SE), helping to mitigate phishing attempts. The Yubikey Neo provided by Yubico is an example of a U2F device, supported by Duo's 2FA.
Here's a video to help you understand how U2F works:
Duo Push: Mobile App-Enabled
Using a mobile authentication app on your smartphone, you can also easily approve push notifications to complete 2FA and log in securely.
This requires user enrollment through an administrator or via self-enrollment, plus downloading the free Duo Mobile app to deliver Duo Push notifications to your phone.
See it in action:
This method is more resilient to man-in-the-middle (MiTM) attacks, and more secure option than SMS-based 2FA that could be phished more easily. It’s also fast, convenient, and doesn’t require carrying around a second device.
A New Way to Authenticate: WebAuthn
Another new standard known as Web Authentication, or WebAuthn, allows users to easily register authenticators (hardware security keys or Trusted Platform Module devices) with popular web browsers. This standard is supported by Google, Microsoft and Mozilla.
This type of authentication would allow a user to replace traditional passwords by authenticating with their device - if they provide an authentication provider (like Duo) with biometric verification.
This basically combines the factors something you are (biometrics) with something you have (a hardware security token) - eliminating the need for something you know (inherently less secure passwords).
However, this is still being developed and refined, and is unlikely to completely replace passwords anytime soon, as Nick Steele states in Web Authentication: What It Is and What It Means for Passwords. But it does provide hope for more secure and user-friendly authentication options in the future.
Check out Duo’s Two-Factor Authentication Evaluation Guide to learn about different two-factor authentication vendors and solutions, and learn more about What is Modern Two-Factor Authentication (2FA)?