World Password Day or Passwordless Day?

• This week, Google rolled out passkeys supported on Chrome OS, Windows, macOS, Android, and iOS.
• Google’s update comes a year after the online search major jointly announced its commitment to adopting passwordless authentication alongside Apple and Microsoft.

Ahead of World Password Day 2023, Google solidified its push to ensure passwordless authentication in the future. This week, the company began rolling out support for passkeys for Google accounts for all its platforms — Chrome, ChromeOS, and Android.

Ian Leysen, CEO, CSO, and co-founder of Datadobi, told Spiceworks, “World Password Day is also a reminder that as the frequency of data breaches and cyber-attacks continue to rise, we cannot rely on passwords alone.”

Google’s update comes a year after the online search major jointly announced its commitment to adopting passwordless authentication alongside Apple and Microsoft.

Why Is Passwordless Authentication Necessary?

Google, Microsoft, and Apple said they would adopt the public key cryptography-based common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C) for all mobile, desktop, and browser platforms.

Well, it looks like Google intends to keep its promise. And for a good reason: Security Magazine says there are 2,220Opens a new window password-related cyberattacks daily. This translates into more than 800,000 attacks each year, making them one of the most common initial access points for hackers.

Consequently, 55% of respondents in Keeper Security’s 2022 U.S. Password Practices Report have been the victim of a cyberattack at least once. The report also states that users  forget their passwords 51 times per year on average. “It can seem obvious to some, but many businesses are still dealing with the most basic of breaches because they aren’t using (security) best practices,” Dan Conrad, AD Security & Management Team Lead, One Identity, told Spiceworks.

Passwords are the first, and before multi-factor authentication (MFA) came to the fore, the only authentication (MFA) mechanism for accessing enterprise applications or social media platforms.

“Organizations must be accountable for having — or not having — password and identity security practices that secure their critical assets. If critical assets aren’t explicitly protected by MFA (and admin privileges aren’t protected in the same way), or if someone can get data by typing in ‘Password1,’ that’s a serious oversight and an unacceptable risk to the business.”

It should be noted that some MFA measures, such as one-time passwords (OTPs), can be overcome by SIM swapping attacks, raising concerns about its reliability.

“Usernames and passwords have always been at the core of digital authentication, and I don’t see that ending anytime soon. MFA also adds an additional layer of security to better protect systems and end-users from compromise, but strong passwords are still essential for security,” Thomas Richards, principal consultant at the Synopsys Software Integrity Group, told Spiceworks.

Even so, Conrad hopes to see passwords wholly phased out, given the inherent risk they pose to account and system security. “In the future, I’d love to see World Password Day become World Secure Authentication Day, World MFA Day, or even World Passwordless Day as our strategies for identity security evolve. If we can all get on board with basic best practices and rigorous education, we might just get there,” Conrad added.

See More: Why Authorization Is Key to Securing Today’s Enterprises

Google Introduces Passkeys

Enter passkeys, the FIDO sign-in cryptographic keys linked to each authenticated device. Passkeys are stored locally on the user’s device and can be used only through the correct biometric data. “Passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan, or a screen lock PIN,” Google noted.

“And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.” The idea is that the user can only access their account if they have access to their linked device.

However, users also have the option to temporarily use a passkey from another device in case they no longer have access to their linked device. They can also create a separate passkey for different devices, i.e., smartphone, tablet, computer, etc., for a single Google account.

Passkeys are supported on Chrome OS, Windows, macOS, Android, and iOS, while support for Linux is yet to be confirmed. Supported browsers include Google Chrome, Safari, and Microsoft Edge.

The Financial Cost of Password-Based Authentication

While individuals may suffer the consequences of poor password hygiene, it is significantly lower than organizations with a treasure trove of sensitive information and critical customer data to protect.

One organization’s average password setting and resetting cost is over $5 million per year, according to Yubico’s 2019 State of Password and Authentication Security Behaviors Report. Forrester Research discovered in its 2018 report, Best Practices: Selecting, Deploying, And Managing Enterprise Password Managers, that each password reset costs $70.

London-based cybersecurity company, MyCena Security Solutions, assessed that this is because employees are the ones who set company account passwords. “Password resets bring significant costs to businesses which can be totally avoided. They are a mere symptom of having employees control the keys to the house,” Julia O’Toole, CEO of MyCena Security Solutions, told Spiceworks.

“When employees know the passwords, businesses are vulnerable to employees getting their passwords phished, which is the leading cause of breaches. Removing passwords from users’ knowledge eradicates the cost of password resets while significantly strengthening security,” O’Toole continued.

MyCena assessed that organizations could collectively save over $1.5 trillion annually by cutting password reset costs. It also minimizes other data breach-related penalties, such as GDPR fines (up to 4% of annual turnover).

It is essential to define the data that must be protected. Leysen highlighted the importance of employing data governance policies that designate what constitutes critical data. “Businesses need a technology solution that enables them to locate and organize all critical data and then take appropriate action to secure it,” Leysen said.

“This may involve creating an immutable copy, moving it to a more secure environment, creating a ‘golden copy,’ and/or transferring the data to a storage solution that can be air-gapped for even greater protection from online threats. This tailored approach is much smarter than relying on broad security measures that may not be effective in all situations.”

See More: Consolidation and Regulation in Identity and Access Management 

How To Ensure Cyber Hygiene While Passwordless Catches On?

A tailored approach is precisely that, i.e., suitable to specific use cases. And while it may help organizations keep threat actors at bay, it doesn’t help individuals. As such, a blanket approach for online safety, such as passwordless, could be essential.

Conrad explained to Spiceworks some strategies to ensure robust online security while passwordless becomes mainstream. Here they are:

• Get MFA and implement it through an authenticator app instead of OTPs.
• Avoid basic keyboard patterns or adding just one character to your password.
• Conrad reiterates O’Toole here. Users do not necessarily have to have periodic password rotation. It has little to no impact on security. Instead, use randomized phrases and characters (that people can manage and remember) in combination with MFA for a better bet.
• Protect usernames as diligently as passwords to prevent password spray attacks.

Have you set up passkeys for your Google account? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!

Image source: Shutterstock

MORE ON AUTHENTICATION TECH

• World Password Day 2023: Tech Leaders Discuss Critical Threats and Best Practices
• World Password Day 2022: It’s Time the World Switches to Passwordless
• Lessons from Netflix’s Password-Sharing Crackdown 
• Mobile Two-factor Authentication: Get Ready for the Next Phase
• RSA Conference: AI in Cybersecurity Is the Talk of the Town