Passwordless authentication: the top 5 myths....and how FinTechs can embrace phishing-resistant MFA

Attackers and threat actors want access to your sensitive data – nothing new there.

However, in the last 18 months, there has been an unprecedented rise in successful data breaches where the root cause has been either poor password security or a combination of insufficient passwords and weak multi-factor authentication (2FA/MFA) controls.

(If you are unfamiliar with the MFA and 2FA multi-factor authentication terms, this page will provide the information you need.)

Obtaining credentials from unknowing users is a key strategy for many attackers and hackers. And phishing has proven to be one of their favourite tactics. Why? Because it works.

Phishing attacks in the UK rose sharply during the pandemic with the UK’s HMRC department seeing a 73% growth in phishing emails. With more people working from home, the opportunity for attackers to steal user authentication credentials in order to gain unauthorised secure access to enterprise accounts was significant.

Importantly, it also appears that many attackers are unconcerned if their victim was using 2FA or MFA. How can this be?

Why multi-factor authentication methods aren't as secure as many believe

For many years, industry experts have promoted the use of MFA to increase security and deter the bad guys from gaining unauthorised access. The claim is that using a combination of something you know and something you have makes life very difficult for an attacker wanting to overcome your authentication security.

It all makes perfect sense… or does it?

The cyber security industry is huge. The largest banks spend roughly 10% of their multi-billion annual IT budgets on cybersecurity tools. That’s a lot of spend trying to mitigate and eliminate risks.

Unfortunately within the industry, there is a lot of hype.

Many cybersecurity solution providers overcook what their products offer. More interestingly and tellingly, many blow most of their budgets on marketing and advertising. While this gives the impression that the various MFA solutions deliver some kind of magic bullet for authentication, it's of little comfort to those businesses that spend the money only to still fall victim to an attack.?

How hackers breach MFA protections

So how does an attacker circumvent today's multi-factor authentication solutions? The simple answer is that they target the solution's weakest link: the user.

Some of the most recent documented attacks deployed to thwart basic 2FA/MFA solutions involve MFA bombing. This is a technique where a victim is bombarded with push notification requests in the hope that they will just press 'approve' on their authenticator app. This attack has been particularly successful with the Uber breach back in August 2022.

Another approach is our old friend phishing.

Many authentication solutions use one-time passwords (OTPs) that are sent via SMS messages or displayed on mobile apps or tokens. These are based on a pre-shared secret much like a password and, like a password, can be phished, hijacked and obtained by the attacker.

This becomes a massive problem if you are using single sign-on (SSO) solutions such as Okta because a bypassed MFA control will expose all of your applications.

Getting to the root of the problem

With more organisations increasing their spending on 2FA and MFA, the big question is: Are they really as secure as they think they are?

Well, the evidence is becoming increasingly abundant. Recent data breaches have involved well-known brands that relied on 2FA and MFA solutions and were still breached.

In fact, we now see many situations where organisations are paying large fees for 'improved security' but are still vulnerable to a data breach. It's the worst of both worlds.

So how do we fix this?

Well, to fix this problem you need to address the root cause, not simply add more complication to existing tools that are vulnerable from the start. The root cause is the password and pre-shared secret.

Remove these and in nearly all cases, the risk goes away.

Simple. Or is it?

What is passwordless phishing-resistant MFA?

Passwordless phishing-resistant MFA is a next-generation passwordless authentication solution that decentralises security. In doing so it eliminates the risk of credentials being obtained and used by unauthorised users to gain access to data.

The concept is no different to existing MFA solutions apart from one very important differentiator: it removes the human from the process.

It turns out that 'the something you know' or a human-readable element is the weakest authentication factor in the process. Get rid of this and you instantly increase your security posture. Essentially there is no one to phish, no one to steal credentials from, in fact, nothing to steal in the first place.

Passwordless authentication — what are your options?

There are solutions available today that can remove humans from the authentication process. The main two are both based on asymmetric cryptographic keys to authenticate a user's identity but their deployment, process and procedures are different.

The two you will hear about are public key infrastructure-based (PKI) and fast identity on-line (FIDO).

Both have their strengths and their weaknesses. Importantly, their weaknesses are not based on intrinsic limiting factors but rather on how each works and which deployment scenario it was designed for.

Using PKI as a passwordless authentication method

PKI (public key infrastructure) has been around for many years. In fact, it has underpinned the entire financial services sector for well over three decades. It's now used everywhere from opening a security door to sending an online payment to using Apple Pay to buy a coffee.

Put simply, it's tried and tested.

PKI passwordless authentication solutions use cryptographic key pairs (a combination of a public and a user's private key) to authenticate users. It is built on the concept that there is a single point of trust in a hierarchy (the root). If you and others belong in that hierarchy and trust the root then you will trust each other.

PKI is not a technology but part of a collection of elements including people and process. Within PKI, you are putting trust into the technology, the people and the process in which the solution is being used.

FIDO — the new kid on the block of passwordless authentication

FIDO is a relatively new method being standardised by the FIDO alliance.

FIDO was built to allow a user to securely access a system without using a password even when they may not be 100% known by the entity, such as an ecommerce site. Within FIDO, you are putting your trust into the FIDO-approved authenticator rather than a central trust point, this could be something like a Yubikey token or a mobile app.

Which passwordless authentication method is better?

Both PKI and FIDO provide the phishing-resistant capabilities that we know are essential to secure your data… but which is the best and why should you care?

Well, fundamentally, that is down to how you want to deploy the solution and to who.

Going passwordless in the enterprise

PKI would be the choice of enterprises to deploy to their internal corporate users. The reason is due to a number of factors.

Firstly, in an enterprise, there will be a process where employees are vetted, interviewed and reviewed by HR. You have a good idea of who the internal employee is and that fits nicely into the whole process aspect of PKI.

A known person who has a clear background and follows rules and procedures, can be trusted to have a credential that is trusted by others within your organisation. One that's owned and managed by the organisation in a way that suits their business and their regulatory obligations.

In addition, because PKI has been around for so long, many legacy and modern IT systems support it natively. This means less time integrating or re-writing applications. And this results in faster rollouts to eliminate risk.

Going passwordless with customers

FIDO's strength is with external customer onboarding. Why? Because of the trust model.

Trust is established through the use of the FIDO-accredited solution. You don’t need to know if the person turned up to work late on three occasions or if they will promise to follow the policies or procedures because in this scenario the person is irrelevant. Trust is within the processes that govern the FIDO authenticator – it's called fast identity on-line for a reason.

FIDO can also be deployed within an enterprise to internal users. However, it may require changes to systems and applications for it to work. That could lead to longer and more complex implementations. It also has some limitations in regard to network security.

What about Passkey and other biometric authentication?

More recently, we've begun to see the likes of Apple and Google making a move to end user dependence on password-based authentication.

The new 'Passkey' solutions from Apple and Google, for example, will make FIDO keys available to anyone who has an Apple or Android device. This will take advantage of the biometric data already embedded into many users' mobile devices and increasingly on laptops too. It promises to open up a whole new world for the consumer market.

5 myths of going passwordless for FinTechs with phishing-resistant MFA

Although going passwordless isn’t without its challenges, there are a number of misconceptions that deter organisations from doing the right thing and ditching passwords altogether.

Let's take a look at these myths in more detail:

1. It's cheaper to increase the complexity of your passwords

One of the biggest myths about computer access is that passwords are free and by making them longer, password authentication becomes more secure.

Firstly, passwords are very expensive to manage. The average cost of a password reset is $70 according to Forrester.

Secondly, while increasing a password's size and complexity does make a password mathematically more difficult to crack, we're forgetting the human element. Users reuse passwords. A complex password can still be written down. It can still be socially engineered. And it can still be phished.

2.?Basic 2FA/MFA is better than doing nothing at all

What might have been seen as a good solution a few years ago doesn’t make it a good solution today.

Continual risk management is essential for any FinTech business if it's to prevent data breaches that result in financial loss and reputational damage. If there is a control or solution available that can eliminate risk then that should be the target. Using and paying for a solution that only covers half of the risk still leaves you half-exposed. And today, that's simply not good enough.

3.?Going passwordless can be costly and time-consuming

We hear businesses worry about the complexity of how to implement passwordless authentication methods. However, many of today’s single sign-on (SSO) services can be supported by passwordless solutions. Often, this requires just a single configuration and takes minutes to implement.

One of the benefits of using a PKI-based passwordless solution is that nearly all web applications support certificates. This means rewriting applications may not be required. It's possible with good planning that you could have most of your estate passwordless within hours or days.

4.?Going passwordless will create more friction in the enterprise

In reality, it's actually the opposite.

With a passwordless solution, the login process is much simpler. There are no passwords to input and no codes to read and enter. Going passwordless also removes the need to use and remember a password. This means you can say goodbye to helpdesk processes that keep users waiting for hours to gain access to systems and data.

5.?Going passwordless will inconvenience everyone

Unfortunately, people are naturally resistant to change. However, with the right deployment plan, education and training, going passwordless will create a more convenient login process for everyone.

Before you start your rollout project, consider the following:

• Obtain senior management support. Without it, it could be difficult to get everyone onside – this is the same for any technology change.
• Describe the benefits to staff. Show them what life will be like without ever needing a password. Describe how their password frustrations could be a thing of the past if they adopt passwordless working.
• Identify passwordless champions within the business that can help other colleagues with passwordless adoption. This will speed up the rollout and keep everyone involved.

Why Idenprotect is the best passwordless authentication solution for FinTechs in protecting their corporate users?

• Idenprotect is tried and tested by global banking giants.
• Idenprotect is fast and easy to implement.
• Idenprotect prevents costly data breaches, reducing financial and reputational loss.
• Idenprotect can improve the security of common identity solutions such as Okta.
• Idenprotect is simple to use, saving time and reducing both complexity and frustrations.