MFA and passwordless authentication

For at least a couple of decades, it has been well understood in the cybersecurity community that passwords are a deeply flawed means of authentication.

People would often create really easily crackable passwords like “password” or “12345”. So authentication systems were developed to use password policies to force users to create passwords with at least 12 characters, the inclusion of special characters, and so on.?

When passwords must be stored, they should be stored with a strong hashing algorithm so a breach doesn’t expose the passwords in cleartext. But eventually hashing algorithms become easy to crack with improvements to computer processor technology. For example, MD5 has been considered too easily crackable and obsolete since 2008, but MD5 is still frequently used today.

Consumers need password managers on their phone and PC endpoints so they can manage the literally hundreds of online user accounts they have. At least a password manager will generate a new complex password for each user account.

So to augment passwords, we use many other additional methods of authentication. 2FA means two-factor authentication, meanwhile MFA means multifactor authentication.

Most of the time, the methods of authentication that can be used in addition to passwords are biometrics and OTP (one-time passcodes). We’ve had both iPhones and Android phones with built in fingerprint scanning, and more recent models have built in face scanning and iris scanning too. That helps to facilitate biometric authentication on the user end. Prior to 2010 or so, I only ever saw biometric scanning built into endpoints on devices like IBM/Lenovo Thinkpads.?

OTP are those six or seven digit numbers that are often sent to users via email or text message. They will expire after 30 seconds, 5 minutes, or a similarly limited time period. They are to be entered as an additional means of authentication during situations like a user logging in from a new endpoint or IP address, or if they haven’t logged on for a while. Or if they used a bad password a couple of times. OTP can also be made mandatory for each and every login.?

Although email and SMS text message is often more convenient for users because they don’t have to set up anything new, they are far from the ideal means of transmitting OTPs. Because email and SMS are considered to be more easily intercepted by threat actors, dedicated authentication apps or physical devices are the more secure means.

It’s fairly simple for consumers to install Google Authenticate, Microsoft Authenticate, or similar apps from other major tech providers on their iPhones and Android phones. I have Google Authenticate on my phone. And I have added many of my user accounts to it simply by scanning a QR code. When I want my OTP for a particular account, I just scroll down to it on the main screen to see what my six digit number is. The app also clearly shows me how much time is left on an OTP before a new one is generated.

For the enterprise, it may be pragmatic to implement OTP through small physical devices such as YubiKey.

Passwordless authentication is also a trend in the cybersecurity industry. But just because it’s a trend, it doesn’t mean it’s a fad. As I mentioned, it’s now well understood that passwords are a deeply flawed method of authentication.

Passwordless authentication systems usually use a combination of OTP, biometrics, and user behavior analysis. Behavior can be in the form of a user’s voice or physical gestures. It can also be traits like how a user touches a touchscreen, the speed of their keystrokes, or so on. Behavior analytics must always be supplemented by OTP and biometrics in a passwordless system. And passwordless systems must always use multiple factors of authentication. But keep in mind that 2FA/MFA and passwordless isn’t always the same thing. Typical MFA implementations use passwords as one of the methods. Although passwordless systems should definitely use multiple factors.?

It’s impossible to switch the authentication systems in your networks and applications from using passwords to passwordless overnight. It’s a process that often takes at least months as some technological components and policies are gradually substituted for others.?

Microsoft and Yubico (YubiKey) both have guides on how to effectively make the transition to passwordless authentication.