Thinking about going passwordless? Here’s what to consider first.
In 2004, Bill Gates made a bold prediction that passwords would soon be dead. Almost twenty years later, the password is pretty much as prevalent as ever. If you’re here, it’s a question that’s probably crossed your mind too: why do we have to persist with passwords? They’re expensive and time-consuming for IT teams to reset, end users still struggle with them, and they’re a constant source of security breaches.
It’s certainly not for a lack of trying. At the 2022 Worldwide Developers Conference, Apple announced that the iOS 16 and macOS Venture operating systems will have passwordless logins. Microsoft have also added Windows Hello for Business, which as stopped forcing users to need passwords to access their personal and work accounts and services. For Android users, there are plenty of third-party vendors on the market offering passwordless authentication.
However, ‘going passwordless’ isn’t as simple as it sounds. It’s a journey which could start with adding MFA to all password scenarios, then adding single-sign on (SSO) to reduce the amount of passwords. For some organizations, that could be enough – others will want to take further steps.
First, we need to think about what passwords are good for when used properly. They’re a simple access security measure, to make sure the right people access the right things – operating systems, websites, and locally installed applications. And they’re something every employee understands. So when getting rid of (or greatly reducing) them, organizations have to weigh up the costs, usability, and limitations of the replacement authentication technology available.
Why are businesses considering going passwordless?
Every business is different, so decision makers need to consider what exactly it is they hope to gain from ditching passwords. For most organizations, it’s likely to be one of the three following reasons – often a combination of all.
1. Reduce password attacks
The biggest issue when it comes to passwords. The 2023 Verizon DBIR estimates that 86% of data breaches involve stolen credentials. People are the problem, as end-users create weak, easy-to-guess passwords that are susceptible to dictionary and brute force attacks. If people reuse their strong work passwords across personal sites and devices, the risk multiplies. Specops research shows 30% of end users use the same password across all of their accounts. Many more just use slight variations.
A famous password attack is the Colonial Pipeline hack, where a ransomware attack affected consumers and businesses along the entire East Coast. Attackers got into the network through an exposed password for a VPN account, after it was believed an employee had used the same password for the VPN in another location. This gave the hackers their initial entry point to deploy ransomware onto the network.
However, it’s not fair to solely blame end users for password attacks. They often have too many passwords to remember and too little support from their organizations with weak password policies. Some enforce higher standards, but even strong passwords are susceptible to password reuse and external threats such as phishing. Could MFA have stopped the Colonial Pipelines hack? Possibly, but no form of authentication is wholly risk-free.
Uber were breached in September 2022 thanks to a hacker (allegedly affiliated with Lapsus$) getting hold of an external contractor’s VPN credentials, most likely by purchasing them on the dark web. The attacker then bombarded the contractor’s phone with two-factor login approval requests, which were initially rejected. This prompted the hacker to pose as tech support via WhatsApp, ultimately convincing the contractor to accept an MFA prompt.
Compromised passwords are often the first point of entry for attacks, so if passwords are used it’s important to be able to detect compromise. This is why Specops Password Policy uses a Breached Password Protection feature to continuously scan Active Directory for passwords that have become compromised through malware, reuse, and breaches – including those being used in attacks right now.
2. Save time and money for IT teams
Password resets are a time burden on IT teams who would rather focus on other issues. Forrester estimate they also cost about $70 per password reset – which can add up to a serious time and money sink in a large business. Some organizations see losing passwords as a way to use IT teams’ time and resources more effectively.
However, there are other low friction options available that could reduce this burden. For example, software such as Specops uReset allows users to reset their own passwords in a simple and secure way. They can authenticate themselves through third-party services like Duo Security, Google Authenticator, Microsoft Authenticator, Okta, PingID, Symantec VIP, and Yubikey – taking the strain of resets away from the IT team.
The addition of a tool like Specops uReset means end users can securely change their own passwords, directly integrating with other authentication services. This can greatly reduce calls and tickets to the helpdesk, saving on costs and IT time. Some organizations may even choose to set passwords to ‘never expire’ – as long as they have a strong enough method for detecting compromised passwords.
3. End user experience and productivity
Many of the security issues stem from the fact that end users don’t like passwords. Poor end user UX is also a driver of time-wasting calls to the service desk. People don’t like thinking of passwords, remembering them, and having to create unique ones at set intervals. In a large enterprise, time spent resetting passwords and contacting IT support can add up to a lot of lost working hours over the years. Some organizations are considering going passwordless to offer a better end user experience for their employees and boost their productivity.
Of course, another option is to make the tools and process you already in place have more user friendly. Integrating a third party tool such as Specops Password Policy into your Active Directory can help guide users during password changes instead of the standard and frustrating ‘your password doesn’t meet length or complexity standards’ message. End users get a better experience thanks to dynamic feedback at the password change screen that guides them towards creating a strong password.
How does passwordless tech work?
‘Passwordless’ can describe a couple of different scenarios. For example, when an end user uses their fingerprint, facial, or iris recognition for Windows Hello for Business, they haven’t technically entered a password. However, there’s still a credential exchange and a secret being stored on the server side. The biometric authentication is gating the stored secret and if it fails, like when Windows Hello did after an upgrade in October 2022, a password is used as a fallback.
An alternate scenario is authenticating without exchanging any passwords with the platform the user is authenticating to. For example, when a user authenticates via biometrics to a FIDO2 device, it cryptographically authenticates them to the service using keypairs. During the FIDO2 authentication process, a public/private key pair are generated when a user registers with a service. No passwords are stored or exchanged, so even if there was a server-side breach, there are no passwords to steal.
The private key is stored in a hardware-based vault on the device, while the public key is shared with the service. When a user wants to log in, the service sends a cryptographic challenge. The user authenticates themselves by either PIN or biometrics, but this information is never shared across the network – the private FIDO2 key remains on the user’s device.
Both definitions of passwordless are valid, but it’s important for an organization to be clear about what they’re aiming for.
Security limitations of passwordless tech
Most organizations are already familiar with multi-factor authentication (MFA). It adds an invaluable layer of security to the password by including anything from retina scans, face scans, fingerprint scans, push notifications, authenticator apps, magic links, SMS notifications, QR codes, pattern unlocks, USB security keys, Bluetooth security keys, and phone-based security keys.
So why not choose two or more factors from that list and cut passwords out entirely? Passwords create risk (or more accurately, poor password policies create risk) but the truth is there’s no hack-proof authentication system.
Biometrics are what most people think of when we talk about replacing passwords, although they’re more commonly used in combination with passwords as part MFA rather than instead of them. Of course, the ubiquity of smartphones is the main reason biometrics have increased in popularity. Better sensors and improvements to face, voice, and fingerprint recognition (on PCs and tablets too) have made it a viable option.
However, biometrics do have some limitations. Despite improved technology, there’s plenty of evidence of the wrong person’s faces and fingerprints unlocking a device. They also open up privacy concerns if an organization is considering rolling out biometric authentication. Your face and fingerprint are unique – but how are those biometric traits recorded, stored, and accessed? Some people might not like handing over even more personal data to companies like Apple, Google, and Microsoft.
Another issue with biometrics is if they do become compromised, they can’t be reset. We’re not talking about gory action movie scenes here – but biometrics can be spoofed. And if they were to become compromised or fail, what would we fall back to? The password.
Although passwords are more vulnerable to rudimentary attacks such as dictionary and brute force techniques, the truth is no authentication factors are invulnerable to hackers. Biometrics can be spoofed, SMS notifications are vulnerable to prompt bombing, and hardware tokens can be stolen.
Phishing is the most common way to steal passwords, but passwordless solutions can be phished too. Hackers can send users an email or text link that trick them into visiting a man-in-the-middle website, which can capture everything even after logging in with a passwordless authentication token.
FIDO2-based authentication tools are the best we have but even they are not infallible. An email account on the device could be compromised, the device itself could be physically stolen, and no passwords means no fallback to the simplest and fastest to change option if another authentication method is compromised.
Is passwordless tech more cost effective?
Over a long period, it’s possible removing passwords could reduce costs. Especially in organizations that had weak policies and were experiencing many breaches and a steady stream of helpdesk calls and resets. But going passwordless isn’t a new idea, so why haven’t more businesses taken the plunge? The simple answer is it isn’t financially feasible in the short term for many organizations – yet.
Authentication tools aren’t always going to be compatible with an organization’s operating system or devices. Think about the various directories, applications, and services within your organization that require passwords. It would probably take some time to list them all. Now consider updating or revising every single one to accommodate a transition to passwordless authentication.
It could also be costly for some organizations to get the myriad devices used to access their network aligned with biometrics or FIDO2-compliant tokens. Older devices or industry-specific hardware might not be compatible with the latest passwordless tech. Perhaps one day everything will have caught up – but right now, plenty of businesses would not have the hardware and software in place for a full transition to passwordless.
FIDO2 devices can be more expensive too, so some organizations might decide the juice simply isn’t worth the squeeze, when passwords (used correctly) can do a ‘good enough’ job.
Does passwordless offer a better user experience?
Passwordless doesn’t always guarantee a better end user experience – as of Dec 2021, only 2.6% of Twitter users had willingly activated 2FA. Biometrics are fast on their own but waiting for a SMS and entering codes takes longer than typing in a password. Some end users might see changing from passwords, which they’ve used their whole lives, as a pain and try to circumvent. They might not be comfortable sharing biometric details with their company, which opens up extra privacy issues regarding storage and deletion. Workplaces will have to go through some user education and teething problems.
Certain industries may find the passwordless transition harder than others. In somewhere like a warehouse where frontline workers use shared credentials or shared devices, passwords may be more appropriate. In a hospital, speed is of the essence and a biometric login could help. Although what happens when passwordless tech glitches out, loses vital online access, or needs backing up in a critical situation? The humble password will need to come to the rescue.
Four questions to ask before going passwordless
Before committing to a passwordless journey, here are four important questions to consider. The answers will shape your strategy – and might make you rethink whether going passwordless is the right thing for your business at this moment in time:
Out of the above services and applications, which can I control the password policy of? In other words, would it be within my power to make it passwordless?
If the goal is to reduce password attacks, it’s worth considering attackers could still use passwords to bypass the passwordless authentications and access your network. This can be a serious hidden risk if these backup passwords become ‘forgotten about’ compared to when they’re used regularly and front of mind.
What kind of devices do they use – company-issued or a mix of personal devices too? What’s their comfort level with adapting to new technology?
You could reduce password use by encouraging the use of SSO, but it’s important to consider whether your AD is being regularly and reliably checked for compromised passwords – as people tend to rely on AD as the login for SSO.
Reduce password pain with Specops
Security, UX, and cost-saving are the main drivers of passwordless adoption. However, you might be surprised how easy it is to reduce these headaches with simple existing third-party tools that integrate with your Active Directory. Passwords aren’t inherently a problem – weak passwords are. Not sure about passwordless but ready to make sure the passwords you do have are more secure? Contact us today to see how we can help.
(Last updated on February 23, 2024)
Recently the news reported that the social app Houseparty was hacked. One of the details taken by the hackers was user account passwords. This led to a spate of other hackings, due to user passwords being the same for different accounts. These events encouraged Specops Software to investigate the password security problem. Specops Software created…Read More
Resetting passwords via service desk tickets and support calls is an everyday burden on IT teams. Users are equally frustrated when the ‘time to change your password’ notification pops up during a busy work day – especially when they realize they can’t simply add ‘!’ to the end of their old password. But despite IT…Read More
Today, Specops Software released the latest version of Specops Password Auditor, introducing a new report that will make the lives of IT admins looking to force a password reset a little easier. This release comes in response to last week’s call from the White House to reset all passwords. With Forrester estimating that each password…Read More