Plaintext: On the Road to Passwordless

Welcome to Dark Reading in Plaintext, where each day we bring you insights around one topic important to cybersecurity professionals. We’ve been inching closer and closer to a passwordless world for years now – but recent developments over the past few months actually make us hopeful that this future is actually going to reality.

Making Steady Progress

Apple demonstrated at WWDC 2022 how the Safari web browser in macOS Ventura would use “passkeys” to allow passwordless authentication. The idea is to allow the user to use various authentication features on the device they have – such as a phone or a computer – to log into web applications and services. So, instead of entering a username/password combination, the user would rely on Face ID, Touch ID or the device PIN, to log in.

Passkeys are based on the Web Authentication (WebAuthn) API, a standard using public-key cryptography instead of passwords for authenticating users to websites. The application of website would push an authentication request to the device as part of the login process.

The passkeys would be backed up within the iCloud Keychain, which then syncs across Mac, iPhone, iPad, and Apple TV, with end-to-end encryption in place. They are less susceptible to being stolen because they are stored on the user’s individual device and not on a centralized repository or the web server hosting the application.

LastPass Moves Forward With FIDO. Password manager LastPass will be rolling out a new “passwordless” method to access its vault. That is a weird sentence to type, but it appears that LastPass is going to allow users to secure the password vault with something other than the master password. In the past, users would put all their passwords in the vault, and then protect the vault with a different – and hopefully an extremely complex – password. Now, the ability to authenticate using the mobile app means users can use the device’s biometric authentication capabilities, such as FaceID and fingerprint sensors.

LastPass will still rely on the master password for the vault, to perform tasks such as registering accounts, adding new trusted devices, and making other changes to the account.

• 1Kosmos CEO Hemen Vimadalal recently noted that one thing holding up passwordless was the fact that applications and websites created identity and authentication silos.
• Organizations don’t have to wait for the tech companies to begin their own passwordless journey. Perimeter 81’s Amit Bareket outlines 6 steps organizations can take right now.

Passwordless Pledge May 5 – on World Password Day – Apple, Google, and Microsoft promised to make it easier for users to use passwordless authentication in Android and iOS, Chrome, Edge and Safari browsers, and on desktops with Windows and macOS. The three tech giants pledged to make it possible for users to enroll a device just once, and be able to use them across different operating systems. Imagine a process similar to Apple's iCloud Keychain, which shares credentials between iOS devices, but for more platforms.

“…the type of forward-leaning thinking that will ultimately keep the American people safer online.”

(Jen Easterly, CISA director)

By the Numbers. Cybercriminals love passwords. Easily guessable credentials account for more than 80% of all data breaches, Verizon said in its Data Breach Investigations Report.

Headlines on Tap

• The growing success of crackdowns on ransomware gangs may lead to more business email compromises, a security researcher warned at RSA Conference.
• IBM scoops up attack surface management startup Randori.
• Cybersecurity is red-hot, and M&A activity shows no sign of slowing down.

On Thursday, Dark Reading will be joined by Omdia’s @Fernando Montenegro on LinkedIn Live to recap the most important things from RSA Conference. Keep an eye on the Dark Reading page to find out when and how to watch!

On That Note?

GreyNoiseIO founder and CEO Andrew Morris posted on Twitter that there is a zebra petting zoo on the RSA Conference show floor. Yet, I have seen no photographs of this zebra. How is that possible?