A double take on passwordless security

Welcome to the new 150 cyber warriors who joined us last week. Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA stages.

Keep up with our weekly newsletters on LinkedIn — subscribe here.

This week we’re focused on…

Passwordless security. 

Why? 

Because we’ve interviewed two experts on passwordless authentication, and they’ve given us a deeper perspective on what it is and why it’s better than existing solutions. 

Who are the experts? 

They’re Brett Winterford (Chief Security Officer, APJ at Okta) and Umer Khan (Chief Information Officer and Senior Vice President of Software Engineering at Relativity Space). 

Why do they care about passwordless security? 

Umer explained that his passion for passwordless is rooted in the struggles that come with passwords: 

“Because they are transmitted across the network and stored in some sort of file or database (even though they may be hashed and possibly even salted), there are many ways in which they can be exploited. They can be guessed, intercepted, phished, cracked, or stolen.”

You can’t get around this by simply making your passwords longer or shorter, because shorter, simpler ones “are easily compromised through brute force entry/cracking (especially with modern CPU and especially GPU power), rainbow table attacks, or even just password sprays.” 

And longer, more complex passwords “are difficult for people to enter, a pain to remember, and they require too much effort to make them unique.”

OK, so that’s what's bad about passwords. But what are the benefits of passwordless security? 

“The vast majority of cyber security incidents stem from password-based attacks,” said Brett. “According to the annual Verizon DBIR, 86% of security incidents stem from credential abuse. 

“Irrespective of whether the root cause arose from phishing, credential stuffing or from infostealer malware, the one thing nearly all these attacks have in common is theft of a user-generated password.”

We have Multi-Factor Authentication, though…

Brett said that multiple blended controls are essential to defend against password-based attacks, and MFA is the most effective – “but it’s not infallible either.” 

“An OTP is just another secret that a skilled social engineer can trick you into handing over. The only MFA factors that are resilient to these attacks are passwordless, phishing resistant factors. 

“Once you’re using these factors to access resources, you have the opportunity to eradicate passwords – and all the security issues they present – from your environment.”

Umer agreed that MFA makes life harder for attackers – but in recent years, he said, “MFA is commonly and easily bypassed. Attackers often use malicious web sites that look exactly like a company’s single sign-on portal to trick the end user into entering both their password and the second factor. 

“This is combined with a ‘man-in-the-middle’ technique. After directing the end user to enter their password on the fake website, the attacker grabs it and submits it to the real site to generate a genuine multi-factor prompt. When the user enters the second factor, it is used by the attacker to gain access to the real web as the end user.”

So how does passwordless authentication work? 

We’ll let Umer answer this one: 

“Passwordless authentication makes use of FIDO2 to skip passwords altogether. FIDO2 can leverage technologies such as Face ID or Touch ID on an Apple device; facial, fingerprint, or iris recognition through Windows Hello for Business on a Microsoft operating system; a hardware security key (such as a YubiKey); or pure software in the form of Passkeys. 

“These mechanisms sit in front of key-based or certificate-based authentication and there is no symmetric secret (i.e. a password) which can be stolen from a server, intercepted during transmission, or phished from a user remotely. Because keys are unique for every web site and the browser validates that the web site is genuine, there is no possibility of stealing credentials by impersonating a login page.” 

What stands in the way of mainstream adoption of passwordless security?

Brett suggested that “the final challenge to passwordless adoption will be a cultural one.” 

But that cultural shift is already happening; and “once passkey adoption in consumer apps takes off, passwordless will move from being a novel sign-in method to being a core user expectation very quickly.”

If you want to learn more…

Head to the blog to read our full interview with Umer here, and our full interview with Brett here. 

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 20 November 2024.

Catch you next week,
Steve Durning
Exhibition Director

Join us at Black Hat MEA 2024 to grow your network, expand your knowledge, and build your business.