More Security or More Risk? The Bitter Truth About Passwords, MFA, Password Managers and a Passwordless Future

By Perry Carpenter

Passwords are the most common form of digital authentication however passwords can easily be phished, hacked, cracked, guessed, stolen or hijacked. So why haven’t we shifted away from passwords to something better? The reason is simple: they are the lowest common denominator. Passwords are intuitive, frictionless, low cost to implement and they’re compatible and interoperable with all types of systems. Passwords are baked into our culture, which means people know how to use them with no training although that’s partly why they can fail as effective security mechanisms.

Fortunately, in an effort to (hopefully) overcome these shortcomings, a number of new options have arisen. But, upon close examination, one cannot help but wonder whether many of these solutions may be inadvertently introducing more complexity and risk.

Security Challenges with Password Managers

The average Joe has to remember over a 100 passwords, which is why a majority (64%) of users are guilty of reusing their passwords too much across multiple websites. To mitigate this risk, security teams have been advocating the use of password managers — a great tool for generating, storing, and managing complex passwords. However, the recent LastPass incident showed password managers also come with their own set of limitations. Unfortunately, password managers can be vulnerable to bugs, hacking and social engineering, potentially serving as a single point of failure. If threat actors somehow crack the password manager, they can often gain access to all your passwords at once.

Security Challenges with Multi-factor Authentication

Multi-factor authentication (MFA) has gained immense popularity over the last decade or so, with some making the bold claim that it can block 99.9% of account compromise attacks. However, the truth is more nuanced than that. MFA can easily be hacked or bypassed using a range of different techniques. For example, attackers can use a “pass the cookie” attack to steal session cookies. They can use a combination of social engineering and man-in-the-middle techniques to trick victims into entering their credentials on a fake website and triggering a real push notification. They can bombard users with a series of MFA prompts (a.k.a. MFA fatigue) until the user approves that notification (interpreting it as some kind of bug). Ready-to-deploy phishing kits are already being sold on underground marketplaces.

Security Challenges with Password-less Solutions

There are a number of passwordless options out there. That sounds great, but the problem is that there is a richness of choice, but a poverty of ecosystems. For example, some technologies will use biometric means to authenticate users; some will use dedicated hardware security tokens while others will use PKI-based authentication that attaches a client authentication certificate to a specific device. Moreover, companies like Apple, Google, Microsoft etc. are working on their own passwordless technologies. Given this scenario, it’s quite possible we will witness hundreds of different flavors of passwordless authentication methods. It’s also possible that users end up carrying around a large collection of tokens on a key ring, similar to a jailer’s giant key ring, which is certainly not very intuitive or convenient. The fact is, until users are interacting with new login mechanisms at scale, one really doesn’t know how people are going to react. For example, distracted users might still end up approving log-in prompts without realizing that they did not initiate them.

Is The Future Going To Be Passwordless?

Maybe. But until there is a consolidation of the biometric industry and the password industry, until there is a new cultural standard, a single device or a single method to authenticate users, something that can be used by young children and elder seniors, something that’s seamless, intuitive, and supports native integrations with all of the world’s technologies, it’s hard to imagine how passwords will be replaced. What’s more, every time something new is introduced every player will have its own version of it. Such a disjointed and incompatible system would likely introduce another set of security loopholes, vulnerabilities and weaknesses.

In all probability, passwords will not go away anytime soon. Until a new breakthrough solution arrives, it is advisable that businesses follow some best practices:

  • Raise security awareness: Human intuition is key. Train staff so well that they develop a security instinct that helps them recognize, block, and report suspicious activities. Ingrain security in your culture.
  • Use phishing-resistant MFA: Although it remains to be seen how effective these tools are against real-world social engineering and phishing, it is definitely advisable for security teams to switch to phishing-resistant MFA.
  • Encourage use of password managers: Password managers may not be hack-proof, but nothing is in the world of technology. Password managers will definitely help improve password-use habits, which in turn helps reduce risk of cyberattacks, breaches and identity theft. Around 50% of all cyberattacks can be traced back to stolen credentials.

To summarize, there is no perfect system. Browsers and operating systems and email clients have all been compromised at some point. Although the industry is certainly taking steps to improve resilience and usability, changes take years if not decades to gain mass adoption. In the meantime, security teams must adopt a security-first mindset and practice liberal skepticism. This means not blindly trusting the next MFA or authentication method as a silver bullet. Embrace technologies like MFA, password managers, biometrics, and passwordless authentication, knowing full well there will be flaws in these systems such as process issues, integration issues, and exploitable vulnerabilities. There’s no perfect system or strategy. Security is about building layered defenses and achieving incremental improvements.

About the Author

Perry Carpenter is co-author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] His second Wiley book publication on the subject. He is chief evangelist and security officer for KnowBe4.