Why is passwordless security better than Multi-Factor Authentication?

In October, we asked Brett Winterford (Chief Security Officer, APJ at Okta) for his take on passwordless security, and why it’ll be part of our everyday lives in the future. Today, we’re getting a second take on the topic; talking to Umer Khan (Chief Information Officer and Senior Vice President of Software Engineering at Relativity Space) about the power behind passwordless authentication. 

Umer has more than 25 years of experience in leading software, IT, and security teams at high-growth R&D companies. He was Vice President of Information Technology and Security at SpaceX, where he spent more than nine years enabling mission-critical launch, control, and recovery as well as full-scale USA-based manufacturing. Umer also held various technical leadership roles at Broadcom Corporation over 13 years. 

Before he arrives in Riyadh to share his knowledge at Black Hat MEA 2024, we wanted to find out why passwordless authentication matters to him. 

Why are you so passionate about passwordless authentication? 

“Passwords... seriously... suck! Because they are transmitted across the network and stored in some sort of file or database (even though they may be hashed and possibly even salted), there are many ways in which they can be exploited. They can be guessed, intercepted, phished, cracked, or stolen. 

 “Shorter and simpler passwords are easily compromised through brute force entry/cracking (especially with modern CPU and especially GPU power), rainbow table attacks, or even just password sprays. Longer or complex passwords are difficult for people to enter, a pain to remember, and they require too much effort to make them unique. 

“On top of all that, password best practices are difficult to enforce – and password reuse is common between work and personal systems. Password managers provide some workarounds but they don’t solve the root of the problem.” 

What’s the most common attack against passwords? 

“Credential phishing is one of the most common attack vectors, and it’s often an early step towards compromising the entire network. Because it is relatively easy to trick a victim into entering their password on a malicious website by making it appear legitimate. 

Grabbing passwords from memory or hashes on disks is also often not too hard with tools such as Mimikatz and its clones and derivatives. And freely available databases of compromised passwords from popular web sites make attacks simple either due to password reuse; or at the very least, an end user may use passwords with similar patterns across multiple systems or applications.”

Doesn’t Multi-Factor Authentication solve this problem? 

“Multi-Factor Authentication (MFA) certainly makes life harder for an attacker by requiring an additional authentication factor on top of the password (something you know). Examples of such factors include something you are (like a fingerprint or facial recognition) or something you have (like a hardware or software token, a smartphone with an app, or a phone with SMS). 

“In recent years, MFA is commonly and easily bypassed. Attackers often use malicious web sites that look exactly like a company’s single sign-on portal to trick the end user into entering both their password and the second factor. 

“This is combined with a ‘man-in-the-middle’ technique. After directing the end user to enter their password on the fake website, the attacker grabs it and submits it to the real site to generate a genuine multi-factor prompt. When the user enters the second factor, it is used by the attacker to gain access to the real web as the end user.”

How does passwordless work? 

“Passwordless authentication makes use of FIDO2 to skip passwords altogether. FIDO2 can leverage technologies such as Face ID or Touch ID on an Apple device; facial, fingerprint, or iris recognition through Windows Hello for Business on a Microsoft operating system; a hardware security key (such as a YubiKey); or pure software in the form of Passkeys. 

“These mechanisms sit in front of key-based or certificate-based authentication and there is no symmetric secret (i.e. a password) which can be stolen from a server, intercepted during transmission, or phished from a user remotely. Because keys are unique for every web site and the browser validates that the web site is genuine, there is no possibility of stealing credentials by impersonating a login page. 

 “And in addition to being significantly more secure, passwordless authentication increases convenience and provides a better user experience.”

How about legacy applications that do not support FIDO2? 

“Legacy web applications can still support FIDO2 so long as the identity provider (idP) being used for single sign-on (through SAML or OIDC for example) supports it. Many ‘fat-client’ applications, such as VPN clients, also support web-based single sign-on, and are therefore relatively easy to transition to FIDO2. 

“Operating system logins can also be made passwordless. While FIDO2 is not supported on many operating systems for local or remote (e.g. SSH, Remote Desktop) logins, FIDO2 hardware security keys (such as YubiKeys) often provide additional functionality which can be leveraged. Smart card/PIV capability on the same security key can be combined with a PKI infrastructure to enable passwordless logons for all standard operating systems (Windows, macOS, Linux, and more).”

What has been your personal experience with passwordless? 

“Passwordless fits well into my philosophy of ‘secure by default’. As Noah Stanford, CEO of 0pass, says: ‘Stop training people to never make mistakes. Give them the tools to click the wrong button without affecting the security of the organisation.’ 

“I led the initiative at a previous employer to completely transform authentication by enabling passwordless with YubiKeys as a primary mechanism, and use of Touch ID, Face ID, and passkeys as a secondary solution for certain applications. It was a long journey and most of the solution was custom-developed, but it was worth it! 

“The cybersecurity team at my current company is working on implementing something similar, although with a different technology stack that is more off the shelf.”

Finally, why are events like Black Hat MEA valuable to you and your work? 

“Black Hat MEA is one of the largest cybersecurity conferences in the world, and a unique and exciting opportunity to teach, share, network, learn, and collaborate. Like other tech fields, cybersecurity is constantly evolving, and it’s important to keep up with the latest attack techniques and trends, defence mechanisms, and industry solutions.”

Thanks to Umer Khan at Relativity Space. Join us at Black Hat MEA to learn directly from the world’s top cybersecurity leaders.