The Sticky Password Problem:
The average adult with an active digital life has over 100 accounts with passwords. This poses quite the problem when passwords are the most common threat vector for account takeovers and data breaches, over half of users use the same password across multiple accounts, and fraud attacks such as phishing and brute force attacks continue to improve and grow in both popularity and accessibility. In 2004, Bill Gates stated at the RSA Conference that passwords "just don't meet the challenge for anything you want to secure."
Passwords are not secure. Over 3/4ths of Americans are frustrated with them, and they have been a nuisance for 15+ years. Why haven't we gotten rid of passwords yet? How can we start to move to truly passwordless authentication?
Why Passwords Keep Sticking Around:
With all the problems that passwords have, they have three big things going for them: convenience, familiarity, and problems with competition. Passwords require no special hardware, just a way to enter characters into a data field. They can be used on phones, tablets, desktops, laptops, TVs, calculators, and likely even your smart fridge or IOT (Internet of Things) devices. Passwords are quick to onboard (usually simply type the same password twice) and relatively quick to use to authenticate. These capabilities make the system very convenient and easy for the average user.
Passwords are also familiar to the average user. The majority of the world will know exactly what to do when a new website asks them to create a username and password. This eliminates training needs, shortens the onboarding process, and potentially can make the user more comfortable with the process.
The final reason passwords have stuck around for so long is that, at least until recently, their main competitors had their own flaws and problems. The four main authentication competitors in the market today are knowledge-based authentication (KBAs), one-time passcodes (OTPs), hardware tokens, and FIDO biometrics.
There are two main types of knowledge-based authentication. The first, static KBA, is also known as shared secrets. Here the user inputs an answer to a static question during account setup and then may be asked for the answer for authentication. Common questions include first pet’s name, elementary school, first crush, etc. The challenge with these questions is that they are easily socially engineered and are often easily available online. They also can be beaten by brute force attacks that just spam out common answers to the questions hoping for a match.
Dynamic KBAs do not require the user to supply answers beforehand and are instead compiled from public and private data including credit reports and marketing data. However, as more information is available about individuals online and social engineering has improved, the questions needed to properly authenticate the individual were forced to become more challenging. Instead of a simple question like what street did you grow up on, companies were forced to ask: which one of these streets sound familiar and may have been in your childhood neighborhood. While KBAs are easier to enter (like a password), they end up not being much more secure than a password and with similar security issues. In addition, the ever-increasing challenge of more complex questions being required to combat social engineering attacks means that KBAs are not going to replace passwords at scale.
One-time passcodes (OTPs) are the most pervasive form of multi-factor authentication in the world and are currently used primarily to augment passwords rather than replace them. The primary reason they are not being used as a one-to-one replacement of passwords is their vulnerability to phishing and other fraud attacks. In July of 2016, the National Institute of Standards and Technology updated their guidelines to state thattext-message-based OTPs are not secure and should be banned. And yet, because they are convenient, easy to use, and work on the hardware that most people have, OTPs are the most common form of MFA in use today. Still, due to the inherent security risks they are unlikely to replace passwords.
Hardware tokens and FIDO biometrics do not have the same security problems that OTPs and KBAs have, but instead their challenges lie with usability and flexibility. Hardware tokens are secure but inconvenient. Instead of a password to forget and reset, you have a device to carry around with you. The problem of losing them has gotten so bad that current best practices are to have at least two of them that you register for every account and store one in a fireproof safe so it can't get lost. This combined with the cost of the devices themselves and the lost productivity and time if you are to lose one has led to hardware tokens struggling to replace passwords.
FIDO biometrics are better than hardware tokens in terms of flexibility, but still have challenges. FIDO biometrics must be stored on the device and cannot be used for cross-device authentication. This means that every time the user gets a new device, they must re-register their biometrics. As registering a biometric is more work than creating a new password, this can be time consuming and frustrating for the user. FIDO looks to solve a lot of these problems with the institution of passkeys (which allow for passing the passwords across devices in the case of a lost or new device) but even that solution has challenges with account recovery which is once again moderated by a password.
Asignio: Truly Passwordless Authentication:
Asignio's capability to provide very secure authentication that works across any of the user's devices, only requires a single registration, and can protect vs phishing, social engineering, and sophisticated fraud attacks is the right step to a passwordless world.