The future of identity and cybersecurity [Q&A]
Back in May, when World Password Day was once again in the news, we asked whether the days of the password were numbered.
Rishi Bhargava, co-founder of Descope, agrees that passwords belong to the past. We spoke to him to discover more and find out how new technologies like passkeys are driving the change.
BN: Why are passwords still the default for authentication and what is preventing widespread adoption of other methods?
RB: It's mostly muscle memory, as long-standing habits are hard to break. Apps implement username-password combinations because they seem easy at first but quickly become multi-year investments. Passwords also offer a veneer of security since they are theoretically something “only the user knows,” but with billions of leaked passwords available on the dark web, this is not true in practice.
While multiple passwordless authentication methods exist, implementing them can be tricky compared to adding a username-password combination to your site or app. Developers need the tools, resources, and enablement to add passwordless authentication methods to their apps easily.
Technology shifts like this tend to be gradual and then sudden. With continued cross-industry backing, proper end-user education, and developer enablement, passkeys and other passwordless methods will supplant passwords in the years to come.
BN: What is the current state of authentication and what are your predictions for the future?
RB: Identity holds the keys to the kingdom for cybercriminals -- a trend that continues from 2022, as demonstrated by the Verizon Data Breach Investigations Report (DBIR), which attributes 80 percent of basic web application attacks to the use of stolen credentials like passwords. Unfortunately, this is likely to remain our reality, so in order to be successful, businesses must realize that their digital applications are only as good as the identity barriers around them. With billions of leaked passwords available on the dark web and multi-factor authentication (MFA), bypass techniques gaining ground, application and security teams should have a 'healthy paranoia' around user authentication and access control.
As economic uncertainty persists, organizations of all sizes will look to refocus their development efforts toward core initiatives that will move the needle for their business. While authentication and user management are critical for any application, implementing and maintaining them in-house distracts developers from focusing on the things they were hired to do. It's also likely that they make security mistakes while building authentication in-house, which can lead to serious ramifications down the road.
In turn, outsourcing authentication and user management to a specialized service is a solution that many may take advantage of to improve user adoption and conversion, accelerate time to market, reduce login fraud, and save developer time.
BN: How are attackers infiltrating company information, such as passwords and PINs, and how can we learn from this?
RB: Security incidents usually involve a variety of techniques, from credential stuffing attacks to supply chain compromise, but the majority of this year's breaches started with attackers compromising a stakeholder's identity and fraudulently accessing their account.
According to Akamai, 193 billion login attempts in 2021 were attributed to credential stuffing attacks. Most recent examples include attacks on PillPack, PayPal, DraftKings, and Norton LifeLock, where threat actors obtain usernames and passwords (from the dark web or another breach) and then try those same credentials on other websites.
All of these attacks were not caused by a company's security lapse, but due to something much more fundamental -- the existence of passwords as an authentication method.
Passwords are easy for computers to guess but hard for users to remember. If users are asked to create strong passwords for every account (a good practice), chances are they will cycle between two or three passwords across all their accounts. Meaning that once a password is leaked, all the accounts that use the same password are at risk. One of the most devastating examples of this was last year’s Colonial Pipeline attack.
These breaches serve as an opportunity for application developers to reflect on authentication processes and consider moving to passwordless authentication methods, some of which are unphishable (passkeys). Even other methods, such as social login and magic links, while not 100 percent secure, are far more secure than passwords.
BN: Why does Google's announcement to roll out passkeys signal the end for passwords?
RB: Passkeys have set the stage for a passwordless future, but there is work left to do. Google's announcement is great news, and their continued backing of passkeys (alongside Apple, Microsoft et al) will do wonders for adoption. But this future will truly be attainable once any app -- not just Google, Apple, and other heavyweights -- can add passkeys to their authentication so that it truly becomes a new 'standard'.
I think that education on two fronts will be required for the continued adoption of passkeys. First, end users need to be educated about passkeys and their benefits to wean them off passwords. Second, application developers need to be educated and enabled to easily add passkeys to their apps or websites.
BN: How do passkeys compare against passwords?
RB: Passkeys use asymmetric cryptography and public-private key pairs to function and serve as a new way for users to sign in to apps without needing a password. In practice, using passkeys is exactly like unlocking your device -- with a fingerprint, face scan, or PIN.
One of the main benefits to passkeys is that they are unphisable. When you create a passkey for an account, a private key is stored in your device, and the public key is stored on the account server. Apps do not store a user's private key on their servers, so there is nothing for attackers to steal. In addition, passkeys are not something a user can write down in a notebook or accidentally share with cyber criminals. Because the private key on your device is only meant to work with the public key on the account where the passkey was created, fake credential harvesting sites are also not a concern.
The standards used to build passkeys place a great deal of emphasis on privacy -- in fact, FIDO has requirements to ensure that incorrect users aren't falsely accepted or correct users aren’t falsely rejected (also known as False Reject Rate), which should help put users' minds at ease about their fingerprint scan ever being stolen.
Beyond increased security, passkeys also create a better overall user experience. Multi-factor authentication is critical for reducing phishing and account takeover attacks; however, the extra verification step can cause friction for consumers. Passkeys offer multi-factor authentication in one step by confirming your biometrics and the private key on your device, making it a streamlined login process.
It's also worth noting that passkeys remove the need to create, remember, and manage passwords altogether, which leads to a much smoother experience for consumers.
Traditional passwords are the preeminent cause of data breaches and the most common way attackers gain initial access to a victim's system. They also place cognitive load on users and hamper their online experience. For this reason, I am a firm believer in moving towards a passwordless future for the Internet, and passkeys offer a solid solution.
Curious readers can check out this demo site to see passkey authentication in action.
Image credit: IgorVetushko/depositphotos.com