Many company leaders have experienced it: The groans when reminding staff, once again, to keep their passwords updated, complex, and non-repetitive.
Passwords remain a key vulnerability for security-conscious organizations. According to Verizon’s 2022 Data Breach Investigations Report, compromised credentials (read: someone got a hold of your username and password) led the pack in terms of entry points for malicious actors. Compromised credentials accounted for about half of non-error, non-misuse breaches.
And the bad guys continue inventing ingenious ways of obtaining employee passwords — thus gaining access to sensitive company data with potentially devastating impacts. Yet, for staff, the password shuffle can feel like an onerous addition to an already busy schedule (and just one more password to try to remember).
This year’s DEFCON in Las Vegas even hosted a dedicated Password Village focused on educating attendees on how easy it was to automate the cracking of complex passwords. Methods such as GPU acceleration and focused password cracking filters are additional tools that can be used to bypass traditional authentication.
An organization called the FIDO Alliance — which goes so far as to say that passwords are at the root of 80-plus percent of breaches — thinks it found a solution. The alliance offers free open standards to replace password-only logins with fast, secure logins (such as the facial or fingerprint recognition options on your iPhone).
Its latest proposal could work; it just requires a critical mass of adopters. Passwords have long been attractive because they’re a cheap option. FIDO has proffered other solutions in the past, but its latest idea offers a high level of security at a much lower cost.
The FIDO Alliance wants to lean on the now-ubiquitous smartphone as a “roaming authenticator,” meaning if you have it with you, you can sign into any account on any device — no passwords necessary.
You may be wondering if that’s like multifactor authentication (MFA), which often relies on a login prompt sent to a smartphone. MFA, however, is susceptible to phishing and smishing. FIDO, on the other hand, proposes that instead of sending a prompt, the phone itself (which we pretty much always have on us) could work as an authenticator using Bluetooth, which is phishing-resistant because it requires physical proximity. The organization also has a plan for streamlining credential changes when people upgrade their devices.
If enough relevant parties adopt such an option, it could simplify the giant passwords headache. Of course, there’s always the risk of people losing devices, but the physical proximity requirement could significantly limit the reach of malicious actors.
For individuals, the password shuffle could become a thing of the past.
The evolution to a truly password-free Internet would need all software developers, apps, websites, and others in the industry to buy in — and do so in a compatible way. Still, the potential is promising and could serve as a valuable piece of a robust security plan.
Digital Silence specializes in helping organizations establish mature cybersecurity programs, including training employees about social engineering. Contact us for help strengthening your defenses.