Can We Really Make the World a Passwordless Place?

February 25, 2020 Assaf Miron

The average person uses around 100 username and password combinations. However, while many security teams recommend business users create individual, complex and strong passwords for all their accounts, many fail to follow this advice. As a result, many passwords are either weak or frequently re-used. With, the vast majority of cyber attacks involving compromised credentials – weak passwords can directly result in data leaks, cyber attacks and theft of intellectual property.

Try this for a password – the world’s longest place name, a hill in New Zealand with 85 letters.

In fact, malicious attackers can access millions of leaked passwords on public sites.  Having a password compromised is upsetting, but what’s more concerning is the longer-term impact of that attack.  Most people are guilty of re-using passwords, but if your email was infiltrated, for example, and you use that password for other online accounts, all of them can be compromised too.

Once compromised or stolen, credentials can be sold online and attackers count on the fact that most of us re-use our passwords. A purchased password for one account  is often used in other attacks to access valuable information on other sites.

On the other hand, tactics like phishing expose a clear “people” problem. According to the Verizon 2019 Data Breach Investigations Report, 32% of all breaches involved phishing and 33% included social engineering attacks that deceive human users.

Increasing Security with Authentication

Two-factor authentication (2FA) and multifactor authentication (MFA) were introduced to overcome these password-related security limitations. Both methods ensure that a person’s identity is authenticated using both something they know (the password) and something they have (such as an app on their phone or a form of biometric authentication like a thumbprint.) Even if a password is compromised, attackers still need another factor to gain access.

While these methods reinforce security, there are still some administrators and operations leaders who worry that the additional steps can get in the way of productivity.  This is especially true today in the world of developers and cloud architects who rely on speed and agility. The problem is that the access those developers and architects have is too critical to be left vulnerable.

Since they have having access to valuable secrets and full control over their environments, developers and architects are some of the most privileged users within an organization. Compromising a developer is a shortcut for attackers to gain immediate elevated access to the most critical information an organization has – hence the push for additional authentication.

While we always recommend using MFA when accessing critical systems, without the proper management and monitoring, passwords or credentials can still be a weak link. Storing and rotating credentials in a digital password vault or credential manager is another key method for organizations to solve the ‘people’ problem, as it prevents password re-use.

In addition, organizations are also facing high stakes and complex challenges from non-password credentials including SSH or Cloud API keys and DevOps secrets that provide access to different systems and applications. Credential vaulting and rotation prevents re-use, while also eliminating the challenges of manual credential management.

Securely granting access to different servers on-premises, different cloud providers, and most importantly, staying compliant with regulations is not an easy task. Especially when security leaders need to make sure that the business keeps working and security does not interfere with user activity.

The question then becomes: Is there an easy way to authenticate without remembering a password – and – is there a way to secure authentication while keeping the process simple?

Enter: Passwordless Authentication

‘Passwordless’ does not mean that passwords cease to exist; it simply means that end-users and application accounts are not exposed directly to the credentials needed to access critical systems. The goal of passwordless authentication is to improve security and make it more convenient and simpler for users to access resources.

With passwordless authentication, users do not need to memorize or enter passwords to log in to applications. Instead, access is granted according to user permissions or something that can’t be obtained by anyone other than the correct user, such as a biometric identification. If a password is never exposed to the user, then that password can never be stolen and, since endpoints are some of the most difficult systems to fully secure, this is a sound strategy.

Personal user passwords can be protected using passwordless methods and several are growing in popularity like Windows Hello and FIDO compliant web sites and devices.

With this approach, IT and Security teams can rest assured that user access is secured and there are no reused or shared passwords and, therefore, attackers can’t phish for users’ passwords or access. User authentication data is never stored within the system as a password would be, so even someone with access to the system can’t retrieve the authentication data – giving passwordless solutions a key security advantage.

This addressess the problem of protecting assets from sophisticated cyber attacks involving credential harvesting, which commonly start with phishing attacks or using a weak or re-used password. The end result is a positive user experience and strong security.

Passwordless Authentication and Privileged Access Management (PAM)

We’ve established that passwordless can be great for personal user passwords, but, what about securing access to extremely sensitive assets? How can businesses grant passwordless access to the root account of a newly provisioned machine or a service account running mission critical services?

These forms of privileged access represent the greatest risk to organizations and need even stronger security controls than an ordinary passwordless tool can provide. Access to tier 1 and tier 0 systems, which contain the most privileged assets in an organization, should be protected with a comprehensive Privileged Access Management (PAM) solution. These solutions can vault and isolate credentials so users never know them – making them passwordless – but, also provide additional layers of security like session monitoring, recordings and analytics-based threat detection.

How can organizations tier access between personal users, tier 1 admin users and tier 0 systems?

While, personal user passwords can be protected using standard passwordless methods, organizations should protect their service accounts, admins and non-human identities with stronger, dedicated solutions. However, whether securing access to critical information or authenticating individual users, the basic rules remain the same:

  • The user shouldn’t know the password.
  • The user should have a simplified streamlined experience.
  • Secrets should be protected and properly rotated.
  • Access to these secrets should be secured and monitored.

This approach can get us closer to a world where passwords (or keys) are not the weakest link anymore – a passwordless world, a more secured world.

Wonder how this can be achieved?

Check out the CyberArk Privileged Access Security Solution for more details or learn more about CyberArk Alero, our newest offering, which provides native, passwordless authentication for remote users.

Previous Article
A Brief History of Securing the Hybrid Cloud
A Brief History of Securing the Hybrid Cloud

More and more organizations are getting on board with infrastructure as a service and the hybrid cloud and ...

Next Article
CISO View Insights: Securely Scaling RPA Initiatives
CISO View Insights: Securely Scaling RPA Initiatives

According to a recent Deloitte study, robotic process automation (RPA) continues to meet and exceed expecta...