Is biometric authentication safe enough without multi-device approval?
In the last decade, cybersecurity measures have evolved from single passwords to 2FA to MFA. Now, big companies like Google, Apple, and Microsoft promise to bring the world to fully passwordless authentication.
These giant players claim they’re well on the way to equipping users with passwordless sign-on using FIDO-compliant biometrics. Of course, users who don’t have to bear the burden of cybersecurity are eager to ditch the hassle of passwords. And tech support teams are likely just as pleased with the prospect of no more password recovery calls jamming up their help desk queue.
Sure, there are superficial benefits, but CISOs should now ponder whether passwordless authentication is as secure as it promises to be.
Let’s take a look at the top cyber trends for user login and authentication.
3 current cyber trends for user login and authentication
It makes sense that everyone wants to get rid of passwords. After all, 81% of recent hacks use stolen or weak passwords. But, are “passwords” the problem, or are login and authentication processes the problem? Also, why are companies still allowing users to set weak passwords?
To understand the promises and risks of a passwordless future, here’s an overview of the current cyber trends for user login and authentication and their pros and cons.
Passwordless login
This type of authentication is exactly what it sounds like — logging into user accounts without entering a username and password. There are many forms of passwordless login, from biometrics scanning to physical tokens, digital tokens, proximity badges, and authentication apps.
Biometrics
One of the common ways to implement passwordless login is with biometrics. In the past few years, most people have become used to using fingerprint scanners to access smartphones. There are also retina scanners, face recognition, voice recognition, and other types of biometric authentication.
SSO
Single sign-on (SSO) is an authentication management solution that allows users to login in once, creating an authorized session that grants access to multiple applications. Google, Apple, and Facebook have been using SSO features since 2019, and it’s becoming a more widespread solution offered by cybersecurity providers.
Hacking concerns for the big boys
In recent months, major tech companies have promised to roll out passwordless solutions that they expect to become standard in all kinds of technologies, taking over other cyber trends. Passwordless has already been in the works for enterprise cybersecurity teams over the last several years.
The security measure is intended to prevent phishing attacks, which pose a massive vulnerability for 2FA methods like SMS and one-time passcodes. Now, everyone hopes that passwordless features will tip from innovative to mainstream security.
There are some issues with the prospect of passwordless going mainstream, however. Surprised? You shouldn’t be. Hackers don’t just throw up their hands when new security solutions bar their attacks. Even (perhaps especially) the big boys like Microsoft and Google aren’t exempt from threat actors.
Microsoft has already been breached by the notorious Lapsus$ hacking group- stealing source code and leaking biometrics data. So has Okta, a leading SSO provider. And Windows Hello, a biometric authentication system for Windows 10, dealt with a vulnerability to biometric MFA bypass.
Large corporations often drive security advancements because of their vast resources. Clearly, these new advancements are not bulletproof. Not to mention, operating on a new zero-trust philosophy can become problematic when the largest, most centralized enterprise companies are the ones spearheading security for everyone else.
Do passwordless and SSO offer enough protection in today’s complex landscape?
Data breaches and hacks happen every day, compromising important information that was supposed to be secure. Despite the fact that Apple recently promised to implement more and better SSO features, attackers are not letting up.
Passwordless solutions like biometric authentication are surprisingly easy to trick. Fingerprint readers, for example, can be duped up to 80% of the time by using imprinted glue. And often, attackers find a way to bypass biometrics altogether.
There’s also the problem of social engineering. However secure passwordless login or SSO becomes, people can always present vulnerability. Italian spyware managed to breach Android devices by baiting users into clicking malicious links.
Takeaways for cybersecurity in your company
Unfortunately, the task of ensuring security is never “finished.” Like washing your hands or making your bed, there’s always a new day and a new mess to clean up. Breaches will happen, but staying on top of cyber trends, embracing passwordless solutions while understanding their limitations, and simple endurance are all critical for your company’s cybersecurity.
As always, a key component of any security plan is educating users. People are vulnerable, and attackers know that. Passwordless login, SSO, and biometrics are all making the user experience better, but they’re not securing your data in a vacuum. Stay alert.