World Password Day is celebrated every year to remind us that the sanctity of our passwords is tantamount to our digital security. Increasingly, leaders in the Identity Access Management industry are recognizing that keeping passwords as secret as possible is not a sufficient defense against highly advanced introspection tactics from threat actors.
At Acceptto, we have always stated that passwordless is not the future. It’s what we need now. Every year, security incidents continue to occur due to account takeovers and the causes are well known. The most relevant of them is credential hijacking, which accounts for approximately 80% of attacks. The focus on password complexity encourages credential re-usage and increases the total cost of ownership associated with password resets and help desk calls, without improving overall security.
In general, any binary authentication such as passwords, two-factor authentication (2FA) and some multi-factor authentication (MFA), including biometrics, are susceptible to fraud due to their binary natures. The industry needs passwordless solutions that do not treat authentication as a single event with a simple yes or no at the point of entry, but as a continuum where user good behavior is constantly verified. It’s time to make World Password Day a remembrance of the past, not a celebration of the present.
Acceptto’s Continuous Passwordless solution is based on a profound truth: The longer authentication is viewed as a binary event, the higher the risk.
By viewing authentication as a continuum, Acceptto has set a new standard. Passwords are fundamentally binary stop gaps. They ask a polar “yes” or “no” question at the entrance of a system, then grant unfettered access thereafter. The first step in moving beyond passwords is to outline a new philosophy of security which goes beyond the binary.
Computer password systems have largely followed the original pattern of organization and operation since 1960. After a single password verification, a user gains access and no subsequent authentication is applied throughout the user session. Yet over the last decade, password-based authentication has become increasingly troublesome. Users, overwhelmed with often forgotten passwords, now keep dozens of passwords stored on a file, use a single sign-on (SSO) that caches multiple passwords behind yet another ultra-sensitive password or derive similar passwords for a wide variety of different online systems. This only creates new avenues of attack and increases security risks for the enterprise.
Meanwhile, attackers have adopted increasingly powerful new tools for social engineering, cracking passwords with brute force methods and intercepting authentication protocols. As a result, billions of passwords are now available on the Dark Web. Traditional MFA attempts to strengthen security for passwords, but creates excessive friction for both users and system administrators, lacks context and relies on too few attributes. Attackers regularly exploit weaknesses in SSO and MFA implementations. The severity of this problem has been drawn into sharp relief with the unprecedented scale of the SolarWinds and Microsoft Exchange attacks in 2020-2021, both of which included attackers bypassing MFA.
Assume all passwords have been hacked – or soon will be – regardless of how intricately and uniquely they have been devised. Cybercriminals have easy access to over 3 billion harvested credentials from digital consumers worldwide. Biometrics can be reduced to a few binary traits. While a fingerprint or facial scan appear to be distinctive and safe, each can be spoofed once in a digital form, outside of special hardware. 2FA can impose time limits on users at every log-in, producing friction and fatigue. Temporary codes over insecure channels can be compromised or intercepted during transmission.
Without a change in approach, all enterprise data can be compromised. Certificates are better, as they remove the tax on end users to reset passwords, but once a user or device is provisioned with a certificate, access is granted until it expires. Certificates are yet another binary authentication that can be hacked and abused. In the case of the SolarWinds incident it is reported they will yank the digital certificates, revoking them and forcing customers to “digitally re-sign” as the fallout from the massive breach that impacted almost every customer.
A technology that treats authentication as a continuum, instead of a binary event, is critical in defending against the increasingly advanced tactics of threat actors. This is the only way to maintain the delicate balance between the two competing objectives of IT Operations: service level speed and secure access management.
Passwordless is not the future. It’s what you need now. Celebrate World Password day with a demo of Acceptto’s continuous passwordless authentication.