Multifactor authentication isn't perfect, passwordless is better

Passwords are frequently the root cause of breaches, and multifactor authentication only provides a stopgap for account protection. It's time to adopt a passwordless strategy.

Two recent high-profile breaches demonstrate the criticality of securing identities. A disgruntled couple hacked IHG, the owner of major hotel brands, by conning an employee into downloading malware through a booby-trapped email. The couple then gained access to IHG's password vault using the password "Qwerty1234."

A few days later, an 18-year-old hacker claimed responsibility for breaching Uber's environment using prompt bombing, a type of social engineering attack whereby the hacker forced Uber's multifactor authentication (MFA) system to repeatedly push authentication requests to the victim's phone. After bombing the victim's phone for more than an hour, the hacker impersonated Uber's IT department, sending a WhatsApp message to the victim saying that the only way to stop the notifications was to approve the login requests.

The hacker then gained access to the password vault, as Uber had hardcoded the credentials to its vault in a readily accessible PowerShell script.

The power of password vaults

The most important identities in your environment are those that provide special access and abilities above and beyond normal users. These superuser or privileged identities enable users to access any system or data and change configurations. These identities are literally the keys to the kingdom.

Password vaults enable organizations to monitor, control, detect and prevent unauthorized use of privileged identities. Like a library, users can check out -- or get access to -- a privileged identity, often for a limited time.

With a password vault, you can remove standing privileges, or the continuous granting of special access. This, combined with time-limited privileged access, greatly reduces your attack surface.

Solve one problem with password vaults, introduce another

Passwords are secrets only you know, and therefore authenticate you are who you claim to be. Unfortunately, easy-to-remember passwords are weak and guessable. Meanwhile, strong passwords are hard to remember, leading to password reuse and the risk of multiple account compromise.

To overcome these inherent weaknesses of passwords, the cybersecurity industry developed MFA. In addition to something you know, MFA uses something you have -- like a cellphone -- and something you are, such as biometrics.

MFA products can act as a quick fix, reducing risk when employees use weak passwords. Many types of MFA introduce new problems, however, such as prompt bombing and other social engineering or phishing attacks. Other MFA problems include the use of easily compromised text messages as the second factor, turning your phone and phone number into identity devices outside their original design criteria.

The added steps of MFA also increase the friction of the login process. Almost one-third (32%) of respondents to the "Securing the Identity Perimeter with Defense in Depth" survey from Enterprise Strategy Group (ESG) said they make MFA optional for their employees, and 27% make MFA optional for their third-party workforce. 

A graphic depicting a list of the different multifactor authentication methods, which include time, location, something you have, something you are and something you know
The different factor methods of MFA.

Passwordless to the rescue

Passwordless authentication removes passwords from the authentication process, which can drastically reduce risk.

FIDO2 is one of several new passwordless authentication techniques and standards. Based on public key cryptography, FIDO2 requires something you have -- a passkey -- and something you are -- biometrics -- to allow the authentication system access to your passkey.

FIDO2 eliminates many, if not all, of the challenges of password-based authentication and MFA. And, with the recent announcements by Google, Microsoft and Apple for FIDO2 support combined with WebAuthn on all their devices, 2023 will be the year passwordless authentication goes mainstream.

Other passwordless authentication products are based entirely on biometrics. Most people are familiar with using facial recognition to access their mobile devices via Apple or Google Face ID, or their laptops with programs like Windows Hello. Companies such as Incode, Pindrop and Veridium also provide tools to add fingerprint, facial recognition and voiceprint authentication to apps and services.

Moving to a mandatory phishing-resistant MFA -- or, better yet, eliminating passwords -- is a great step to reduce risk. Plus, passwordless authentication reduces friction and improves UX. It also increases the efficiency of IT and security operations, reducing the amount of time and effort spent handling password resets and account lockouts.

ESG is a division of TechTarget.

Dig Deeper on Identity and access management