Can Passwordless be Hacked?

The overly simplistic answer to the question “can passwordless be hacked” is yes, it can. However, as Transmit Security explains, the more nuanced answer is that passwordless is much more difficult to hack, making it more secure. A lot more secure.

A password is a bit of information that two parties share. One of them, the user, is expected to provide this bit of info if they want to access the services of the other. However, because it is shared, there are two points from where it can be stolen or obtained.

On the other hand, passwordless authentication relies on access management that is not solely based on a shared piece of information. That means it is less likely to be compromised, making it the more secure option.

Why are Passwords Not Secure?

Did you know that, in 2022, over 80% of data breaches happened due to compromised passwords? And, it wasn’t just hacked passwords—most of them were due to people giving them out in phishing or social engineering attacks.

There are a number of reasons why passwords in general are not very secure. Here are some of them.

They Have to be Stored

As we mentioned earlier, a password is an alphanumeric string that is shared between two parties. The service provider needs to save this bit of information against the user’s account. 

When the user logs in with a password, the service provider verifies that the password is correct by checking their database.

If cybercriminals find a way to get into that database, they can get access to all the usernames and passwords saved there.

They Can be “Cracked”

A password is a string of letters, numbers, and special characters. There are a finite number of combinations of these. That is why it can be possible to “guess” the password using brute force attacks.

A brute force attack is one where the hacker will try multiple passwords to see if any of them work. If the password is one of the most commonly used ones, they’ll be able to get into a user’s account in no time at all. 

They Can be Stolen

Even the most secure password is only as secure as the person who holds it. Unfortunately, bad actors use human psychology to trick people into giving away classified information. 

Phishing, keylogging, or social engineering are all methods used by these hackers to coerce or trick people into divulging their passwords and other login credentials.

They Can be Reused

Around 65% of people admit that they either use the same password or a variation of it for all their accounts. That is understandable, considering that an average person has around 100 accounts that use passwords.

The problem is, if hackers get access to that one password, they can use it to get into all of that user’s accounts.

As you can see, passwords aren’t all that secure because people tend to follow patterns and can follow unsafe practices because it’s easier for them.

So, is there a more secure way to manage access? Yes. Passwordless authentication.

What Is Passwordless Authentication?

As the name suggests, passwordless authentication is a form of Identity and Access Management (IAM) that does not use passwords. Instead, it uses other—stronger— forms of authentication to log the user in. 

And, since there is no secret-sharing, there is only one point from where they might be obtained. Therefore, they are better at protecting the user’s identity.

What Are The Different Types of Passwordless Authentication?

Access management can use three methods of authentication:

• What you know
• What you have
• What you are

Passwords are a form of “what you know” authentication, where they are a “shared secret”. As we discussed, they aren’t very secure.

Passwordless authentication is usually one of the other two types. 

What You Have: The Possession Factor

This form of authentication relies on something the user possesses—the possession factor. For example, a physical dedicated hardware security token, like a key (USB or NFC) that can be plugged in or tapped against a reader is a form of “what you have” authentication. 

Or, PKI certificates are installed in the device, where they authenticate and allow access without needing a password. Similarly, FIDO2 web authentication provides this for information transfer over the world wide web.

When the account is set up, it automatically generates a private key and a public key. The public key, which is more like the keyhole than the key, uses the private key to “unlock” the account when the user wants to log in.

One-time passwords (OTPs), email magic links, and authenticator apps are also counted under this category. However, they aren’t truly passwordless. 

These methods are still generating a password through an additional step in the process. As a result, they can be compromised with a man-in-the-middle attack.

What You Are: The Inherence Factor

The inherence factor—what you are—uses something immutable and unique about the person as an authentication factor. 

For example, biometrics such as fingerprint, face, or retina scans are methods of authentication that are inherently unique to the user. Voice recognition can be another inherence factor.

They cannot be “guessed” or replicated easily. This makes them quite secure.

Is Passwordless Authentication Really Safe?

The thing about cybersecurity is that the threats are always evolving. While passwords were secure in the past, they can be breached now. 

Most forms of passwordless authentication are much more secure than passwords. The problem is, they can’t claim to be completely secure, especially if there is only one form of authentication.

However, two-factor authentication (2FA) or multi-factor authentication (MFA) can make passwordless IAM much more secure.

What is Two-Factor Authentication?

Instead of using a single form of identification, 2FA uses two factors. For example, one needs a card, and also a PIN (as the second factor) to withdraw money from a cash machine. 

It is not possible to complete the transaction with only one of the factors.

What is Multi-Factor Authentication?

Where 2FA uses two forms of identification, MFA uses three or more. For example, a password, fingerprint scan, as well as a physical key.

Since each factor adds another layer of security, MFA is much more secure than just a password and even 2FA.

What Are The Benefits of Passwordless Authentication?

If your business is concerned about protecting your data and your customers, passwordless authentication, especially if it is multi-factor, can offer a few benefits.

Improved UX

Most businesses with an e-commerce website know that customers abandon shopping carts if they are forced to log in. Others have seen customers leave their websites because they couldn’t remember their passwords. 

In fact, the reason why most people create insecure passwords is that remembering complex ones is too much work. By removing passwords as a form of authentication in the customer’s journey, you can improve the user experience.

Better Security

Any shared secret, especially one that uses a combination of a finite set of letters, numbers, and special characters, can be guessed or broken into. 

What makes them even weaker is the fact that most people opt for convenience. They create passwords that are easy to remember, which often means they are easy to guess.

Passwordless authentication, on the other hand, is harder to break into. It is either random (e.g., a new “key” generated randomly each time the person logs in) or unique and difficult to guess or replicate (e.g., biometrics). 

Since most cyber-attacks don’t target a specific person, it is impossible to find out the identity of the person, their face and fingerprints, acquire their physical key, and access their account. 

In fact, it’s even more difficult with MFA because the cybercriminals would also need to know which factors they would need to authenticate. In the case of a password, they need just that one detail. With passwordless MFA, the guessing game no longer works.

More Trust in Your Business

When the account of an employee is hacked, it can result in the bad actors getting into the company’s network. That, in turn, gives them access to any other devices connected. Once inside, they can get into emails, confidential documents, internal chats, and much more.

If, on the other hand, the hackers steal customer information, the business also loses the trust factor. That can affect public perception of the business, making them look incompetent or careless. Potential customers might be deterred if they feel their information isn’t secure.

With passwordless authentication, you can ensure that your business’s internal network is safe from data breaches. And, also, your customers’ information is better protected. 

Moreover, when customers notice that their accounts are better secured with passwordless authentication, they trust you more. That helps improve your reputation in the market.

Reduced Costs

To the average user, a password doesn’t “cost” anything. To the business, however, it can mean expenses in secure storage and databases. Plus, there is the additional cost of maintaining an IT team and infrastructure that maintains and resets forgotten passwords.

Whilst this is quite an expense, a data breach is even more expensive. That might require mitigating measures and additional expenses in securing the information so other customers aren’t compromised.

And, it might impact the business if potential customers decide they would rather give their money (and information) to a competitor who seems more secure.

With passwordless authentication, your business no longer needs to store or manage passwords, reducing your expenses. That also leaves your IT team to spend invest more time on better IAM instead of managing passwords.

What Are the Limitations of Passwordless Authentication?

While passwordless authentication is definitely more secure, it is not without its limitations. These can be managed, but you need to be aware of them.

Susceptible to Physical Theft

Passwordless forms of authentication are not easily hacked, mainly because they are hardware-specific. However, if the hardware is stolen, the security is compromised. 

For example, a private key stored in the device or a security token is more secure than a password. But, if the device or the key is stolen, the account is no longer secure.

Similarly, OTPs can be compromised in case of a sim-swapping attack.

Biometrics Can be Replicated

There was a time when your face, fingerprints, or voice were unique and could be used as a form of identification. Now, however, there are ways to replicate your voice or fool facial recognition software. Even your fingerprint isn’t safe.

As a result, even biometric identification is not 100% safe. However, both physical theft and replication are not as big a threat if you also have MFA implemented. 

Cybercriminals tend to look for easy marks that can be “hit” remotely, and in high numbers. If one target takes so much effort, it would have to be for a really big payoff.

May Not be Accepted by Users

Even the most secure method of authentication relies on the user to follow it. Passwords aren’t secure because people tend to use simple passwords that are easy to remember. 

Even if the password is secure, it can be stolen using social engineering or phishing attacks. These attacks are designed to take advantage of human nature, making people the weakest link in the security chain.

If the users feel passwordless authentication is not convenient, they may not be willing to adopt these measures. 

Also, people fear technology. They would rather have a system of authentication that they are familiar with (e.g. passwords) than trust an unfamiliar system or one that seems too “high-tech”.

Initial Cost of Implementation is High

In order to go passwordless, your business would need to invest in the right hardware, software, or technology. While it would save you money in the long run, the initial investment might be quite expensive.

How Do I Implement Passwordless Authentication?

If you decide that you want your business to adopt passwordless authentication, here is what you need to implement it.

First, you need to determine what authentication factors you would prefer to use. For example, if you’re an e-commerce company, sending physical security tokens to your customers might not be worth it. On the other hand, if your business handles sensitive customer data, that might be one of the factors you use.

Second, you would need to decide how many factors you want. Is a single factor enough, or do you want the added security of 2FA or MFA?

Then, once you know which factors you would like to implement, you would need to buy the hardware or software you’d need.

Finally, you’d need to roll out the new system to your customers or employees. 

If you are considering moving to passwordless authentication, and aren’t quite sure where to start, let us help you. Get in touch and we’ll walk you through the best options for your business.