We would like to keep you up to date with the latest news from Digitalisation World by sending you push notifications.
Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
Whilst username and password combinations continue to be the only form of authentication for many logins, weaknesses should indicate that its days are numbered. In fact, this World Password Day, companies and individuals should take this opportunity to review and strengthen the usability of their authentication practices beyond the simple password.
Recent research conducted by the Ponemon Institute found that 39% of individuals reuse passwords across workplace accounts and, even more worryingly, 51% sometimes or frequently share passwords with colleagues. The shareability and reusability of the password are inherent weaknesses that open the door to attackers. An example of this is credential stuffing, which works by trying stolen login details against other sites and exploits the fact that people continue to reuse passwords, despite advice to the contrary.
Strengthening authentication beyond passwords
To effectively combat credential phishing, credential stuffing, and other common forms of cyber threats, companies must strengthen authentication practices by reducing their reliance on passwords. Two-factor authentication (2FA) has recently grown in popularity and usage as a result. By combining login credentials with something you have (mobile phone or security key), something you are (fingerprints or facial scan), or something you know (PIN or security question), 2FA delivers a higher level of security than the username and password combination alone, but not all 2FA methods are equally strong.
2FA methods such as memorable words or SMS one-time passwords (OTPs) are the most basic layer of additional security; they are better than no form of 2FA at all, but they are also still susceptible to attack. Indeed, ‘SIM-swap’ fraud is just one of the increasingly common phone-based attacks used by bad actors. Additionally, the process of using SMS OTPs is quite inconvenient as it requires the user to type in a code, often across devices, in addition to entering in their password. Overall, they provide an extra level of security, but they do not fix the problem.
Usability is a key consideration for companies looking to improve their security practices beyond the sole use of passwords. In fact, the Ponemon Institute research found that 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. This highlights the issue with basic 2FA methods — they are still inconvenient and cumbersome for users.
More sophisticated forms of 2FA are simple and convenient to use, making it more likely that individuals will adopt them to enhance their security. For example, FIDO security keys provide a significantly higher level of security than other 2FA methods. Yet, they are also easy to use so it has little impact on the user and will not interrupt the working day.
It is important that companies assess the requirements of employees and make a considered choice when selecting a 2FA method to ensure that it will meet their needs and be widely adopted.
New standards of security
Reliance on the password can be further reduced if companies look to new standards of security, such as FIDO2 and WebAuthn, which are now supported in all leading platforms and browsers. FIDO2 specifications tackle all the problems with traditional authentication and allow users to use common devices to easily authenticate to online services in both mobile and desktop environments.
A core component of FIDO2 is WebAuthn, the first globally accepted standard for web authentication, co-developed by Yubico experts and approved by the World Wide Web Consortium (W3C). Using a standard web API, WebAuthn enables online services to easily support FIDO authentication, with the option for passwordless logins. This authentication standard is based on public key cryptography that removes the need for creating and storing passwords in a central location where they are vulnerable to data breaches. It is the only form of authentication proven to eliminate account takeovers and protect against phishing attacks 100% of the time.
Additionally, and crucially, the modern FIDO2 and WebAuthn standards offer variety and do not force users into one authentication method. Instead, these widely-adopted standards offer choice — for example, an external authenticator such as a hardware security key, a built-in biometric sensor, a PIN, or a combination of the three.
This World Password Day, it’s time to examine whether the static username and password are still up to the task or if it is in fact time to rethink password-based authentication altogether.
