FEATURE
The death of the password has been imminent for the better part of the last decade .
“ Passwordless flows that use cards , tokens or authenticators alone still trump the password from a strict security sense . Passwords can be phished , but not tokens or push authentication with public / private key pairs , which use asymmetric key cryptography .”
Mrochek continued : “ A service creates a ‘ one time challenge ’ at logon , which is signed by the user ’ s private key and verified by the service with the user ’ s public key and a log-on token is returned . This is the essence of FIDO U2F tokens , FIDO2 pinless , and some mobile push authenticators . The problem is that if used alone , it can be stolen by a malicious actor and can be an easier attack than even a password , but an attack that requires physical theft .
“ Passwordless MFA is much stronger because it adds one more authentication layer . Even MFA used today alongside a regular old password has been shown to prevent many types of attacks . There is a middle step in the path to passwordless ; many consider a Smart Card + PIN or Windows Hello + PIN , or FIDO2 token + PIN as passwordless . But the PIN is in fact a short , numeric password , so it becomes an MFA with another ‘ something you know ’ secret . This middle step is light years ahead of previous password-based MFA , since this form of passwordless MFA uses the strong cryptography mentioned above ; the PIN is stored in a HW secure element and it has a lockout count .”
Mrochek says that passwordless MFA requires biometric authentication along with an asymmetric key pair . This is possible with FIDO2 , Windows Hello , Smart Cards or push authentication paired with a biometric second factor .
“ As you journey towards passwordless authentication , whether with MFA or not , you will be increasing your security stance , improving your user experience and finally saying goodbye to the 1960s as you create a truly 21st century cybersecurity world ,” said Mrochek .
Brigadier General ( Ret ) Gregory Touhill , President of Appgate Federal , commented : “ According to many cybersecurity veterans , the death of the password has been imminent for the better part of the last decade . However , as we dip our toes into a new decade , it seems like the hype might finally be matching up with the reality of modern technologies .
“ Passwords were state-of-the-art in 1979 when I enlisted in the Air Force , and they remain state-of-the-art for many organisations – over 40 years later ! Passwords are ancient technology that crumbles when confronted by bad
Passwords are ancient technology that crumbles when confronted by bad actors such as criminals and nationstate actors .
actors such as criminals and nationstate actors . So why have passwords remained the primary authentication method for so many for all these years ?”
Touhill believes the most obvious reason is the fact that they ’ re simple . Or at least they were until consumers were forced to manage dozens of
38 www . intelligentciso . com