7 Passwordless Risks and How to Mitigate Them
Learn more about the product, pricing and features of AuthN by IDEE.
Request a free demo today!
The risks of password-based authentication are well-known. Hackers can guess, steal or buy passwords to compromise enterprise systems and networks, take over accounts, and steal data. Passwordless authentication can mitigate these risks – as long it’s truly passwordless and not just offering a passwordless experience.
For instance, Single Sign-on (SSO) is not truly passwordless. It simply hides the password in the user experience, while still using it in the background for authentication. More importantly, SSO is not truly secure, since the password can still be compromised to open all doors to a bad actor – with a single key. A truly passwordless solution completely dispenses with passwords for more robust authentication that strengthens enterprise security, and avoids all password-based attack vectors (e.g. phishing). It also improves user experiences and productivity, and reduces password management overheads.
But even with these advantages, there are some passwordless risks. Fortunately, these risks can be mitigated. This article will address both these aspects.
#1: Vulnerable End-user Authentication Devices
Device theft is one passwordless risk related to end-user authentication devices. If an attacker gets their hands on an unlocked user’s device, they can intercept any OTPs, PINs or magic links generated on authentication apps, or sent via email or SMS.
Another passwordless risk is SIM swapping. A bad actor manipulates a mobile service provider into transferring a legitimate user’s SIM card to them, enabling them to intercept the user’s SMS messages, and access all services relying on SMS-based authentication.
User-owned authenticator devices are particularly vulnerable to several threats. In addition to theft, these threats may come from insecure applications containing malware, malicious websites, or unsecured public or open networks.
The “mobile” nature of mobile devices makes them vulnerable to the risk of theft and unauthorised use. However, organisations can minimise the impact of these risks by leveraging a multifactor cryptographic device authenticator and Mobile Device Management (MDM) solutions.
A multifactor cryptographic device authenticator by default prevents the interception of OTPs, PINs, SMS code, as well as SIM Swapping and uses a second factor (such as biometric) to prevent unauthorised use of the authentication device if stolen.
With MDM, an enterprise can monitor, manage and secure mobile devices, and separate employees’ personal data from corporate data to prevent leaks or losses of the latter. They can also control and distribute relevant security policies to boost enterprise data and network security.
#2: Poor Identity Proofing and Authenticator Provisioning
Identity proofing is establishing the real user’s identity at the point of registration/account provisioning to ensure that only trusted and authorised individuals can access the organisation’s data. This step is essential to protect the organisation from the many security threats posed by unauthorised users (aka bad actors) such as using stolen and synthetic identity for identity fraud. However, weak identity proofing can create passwordless risk, as can poor authenticator provisioning.
To mitigate these risks and establish trust, it’s vital to securely provision user, devices and apps instances, and ensure that the established user, device and app identity are inseparable to achieve an enhanced identity governance.
It’s also important to implement strong security controls like device lock and app attestation, to verify and validate the established identities and device/app integrity. Client-side secure account recovery also, helps to prevent compromise of the authentication credentials and server-based insider attacks.
#3: Non-secure Identity Management
Identity and Access Management (IAM) is about ensuring that a given identity or authorised user has access to the right assets within the correct context. Equally important, it prevents unauthorised users from accessing these resources and creating security challenges for the organisation.
Nonetheless, non-secure identity management is a passwordless risk. Non-secure identity provisioning can led to identity fraud, weak authentication protocols can be subverted by hackers, while proprietary protocols are difficult to provably secure against privilege malicious insiders. If the IAM system is delegated to an external identity provider, the organisation may lose control and have to blindly trust the security of the external identity provider.
Secure Identity Proofing with transitive trust ensures that only authorised and explicitly verified users and devices can be provisioned to access an organisation’s resources in the first place.
Passwordless Multi-factor Authentication (MFA) that relies on strong authentication factors like biometrics and not weak factors like passwords ensures that users and devices are adequately authenticated to gain access. Device and app instance binding could be leveraged to provide a verifiable attestation of the device/app integrity and thereby ensure non-repudiation for every transaction.
Zero trust security principle could be adapted to make sure that all access whether from within the organisation’s network perimeter or from the outside are explicitly scrutinised and independently verified.
Secure identity management not only ensures secure user identification, authentication and authorisation but also, ensures the security of the authentication secrets, prevents authentication bypass, secure revocation and recovery of credential and it’s resistant to identity provider (or service provider) compromise.
#4: Security Misconfigurations and New Security Vulnerabilities
Security misconfigurations, which accounted for 82% of vulnerabilities in 2019, present an easy target to hackers since they can easily detect and exploit such weaknesses to steal data and create havoc in the organisation. These errors include unencrypted files, unpatched systems, continued use of default credentials, unsecured devices, and weak (or non-existent) firewall protection. Misconfigured environments also leave the organisation vulnerable to malware infections, botnets and ransomware attacks, which can result in everything from data breaches and ransom demands, to identity fraud and costly business downtime.
It’s critical to identify and address such flaws early through a comprehensive risk-based vulnerability assessment across the entire tech stack, plus penetration testing, patch management and strong IAM governance. To prevent attacks, businesses should implement secure configurations and implement compliance checks aligned with industry best practices such as the CIS Benchmarks.
#5: Insider Threats
Risks from malicious or negligent insiders are a growing passwordless risk for organisations everywhere. According to Verizon DBIR 2020, in 2019, over 30% of data breaches involved internal actors such as current or former employees, or third-party contractors and vendors. Many insider threats also stem from the abuse of legitimate privileged accounts.
To mitigate such risks, it’s crucial to have a security control that prevents the abuse and/or escalation of privileges such as multi-party authorisation and decentralising the policy enforcement point to prevent subverting of the IAM policies.
Organisations must also identify where sensitive files live, and determine who has access to data and who should not. More and more, it’s also becoming critical to maintain a least privileged access model, create a culture around data security, and follow zero-trust principles to protect enterprise assets.
#6: Lack of Support for Legacy Systems
Many legacy systems use older authentication protocols such as RADIUS that rely on weak access credentials , and organisational identity stores for password authentication. As long as these legacy systems are in place, the identity store needs to continue supporting passwords.
This lack of support for passwordless authentication and integration – and because passwords are easy to integrate into any system – are two key reasons why organisations struggle to transition to passwordless authentication.
It is possible to eliminate password risks without completely (and expensively) overhauling legacy systems – with passwordless authentication. Modern identity and authentication technologies provide passwordless authentication that’s easy to integrate using standards such as SAML, OIDC, WS-Auth, and many others, with legacy systems, while also improving security and compliance, and eliminating friction in the authentication experience.
#7: Concerns About User Privacy
Some employees feel uncomfortable using their personal devices for passwordless authentication, and worry that their biometrics or contextual data will be used to violate their privacy. Familiarity with passwords and unfamiliarity with the benefits of passwordless authentication also creates resistance to change.
It is indeed possible to use personal devices and ensure that no-user data is collected when passwordless authentication solutions that are based on zero-knowledge and zero-PII principles are used. It is important in European countries to ask the workers counsel to review passwordless authentication solution to ensure that they adhere to zero-knowledge and zero-PII principles.
As shown in this article, the seven key passwordless risks can indeed be mitigated. And knowing the strengths and weaknesses of passwordless authentication is critical to help an organization go passworldess.
In addition to this article, you can find how to assess the risks of your current authentication methods using this risk calculator. In just 15-mins you can quickly identify weaknesses and how best to fix them using this calculator.
Adversary in The Middle (AiTM) - Video Demo
AiTM is the one attack that commentators say can bypass MFA. We disagree. Watch our videos to see these attacks in realtime & see how you can prevent them.