World Password Day: an authentication wake-up call

World Password Day is an annual reminder of the importance of having a strong password to protect our personal details. It’s also a timely wake-up call for businesses and employees engaging in risky password activities. After all, less-than-stringent practices can open the door to cybercriminals who rely on poor password habits to get a foot in the door. By Nic Sarginson, Sr. Solutions Engineer for UKI and RSA at Yubico.

  • Thursday, 7th May 2020 Posted 4 years ago in by Phil Alsop

Whilst username and password combinations continue to be the only form of authentication for many logins, weaknesses should indicate that its days are numbered. In fact, this World Password Day, companies and individuals should take this opportunity to review and strengthen the usability of their authentication practices beyond the simple password.

 

Recent research conducted by the Ponemon Institute found that 39% of individuals reuse passwords across workplace accounts and, even more worryingly, 51% sometimes or frequently share passwords with colleagues. The shareability and reusability of the password are inherent weaknesses that open the door to attackers. An example of this is credential stuffing, which works by trying stolen login details against other sites and exploits the fact that people continue to reuse passwords, despite advice to the contrary. 

 

Strengthening authentication beyond passwords 

 

To effectively combat credential phishing, credential stuffing, and other common forms of cyber threats, companies must strengthen authentication practices by reducing their reliance on passwords. Two-factor authentication (2FA) has recently grown in popularity and usage as a result.  By combining login credentials with something you have (mobile phone or security key), something you are (fingerprints or facial scan), or something you know (PIN or security question), 2FA delivers a higher level of security than the username and password combination alone, but not all 2FA methods are equally strong. 

 

2FA methods such as memorable words or SMS one-time passwords (OTPs) are the most basic layer of additional security; they are better than no form of 2FA at all, but they are also still susceptible to attack. Indeed, ‘SIM-swap’ fraud is just one of the increasingly common phone-based attacks used by bad actors. Additionally, the process of using SMS OTPs is quite inconvenient as it requires the user to type in a code, often across devices, in addition to entering in their password. Overall, they provide an extra level of security, but they do not fix the problem. 

 

Usability is a key consideration for companies looking to improve their security practices beyond the sole use of passwords. In fact, the Ponemon Institute research found that 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. This highlights the issue with basic 2FA methods — they are still inconvenient and cumbersome for users. 

 

More sophisticated forms of 2FA are simple and convenient to use, making it more likely that individuals will adopt them to enhance their security. For example, FIDO security keys provide a significantly higher level of security than other 2FA methods. Yet, they are also easy to use so it has little impact on the user and will not interrupt the working day. 

 

It is important that companies assess the requirements of employees and make a considered choice when selecting a 2FA method to ensure that it will meet their needs and be widely adopted. 

 

New standards of security 

 

Reliance on the password can be further reduced if companies look to new standards of security, such as FIDO2 and WebAuthn, which are now supported in all leading platforms and browsers. FIDO2 specifications tackle all the problems with traditional authentication and allow users to use common devices to easily authenticate to online services in both mobile and desktop environments. 

 

A core component of FIDO2 is WebAuthn, the first globally accepted standard for web authentication, co-developed by Yubico experts and approved by the World Wide Web Consortium (W3C). Using a standard web API, WebAuthn enables online services to easily support FIDO authentication, with the option for passwordless logins. This authentication standard is based on public key cryptography that removes the need for creating and storing passwords in a central location where they are vulnerable to data breaches. It is the only form of authentication proven to eliminate account takeovers and protect against phishing attacks 100% of the time. 

 

Additionally, and crucially, the modern FIDO2 and WebAuthn standards offer variety and do not force users into one authentication method. Instead, these widely-adopted standards offer choice — for example, an external authenticator such as a hardware security key, a built-in biometric sensor, a PIN, or a combination of the three. 

 

This World Password Day, it’s time to examine whether the static username and password are still up to the task or if it is in fact time to rethink password-based authentication altogether.