Leaving passwords behind and developing phishing-resistant users
The importance of moving away from passwords as the primary authentication method
Once considered an adequate form of online authentication, passwords have become broadly recognized as an unsecure form of authentication that leaves users at high risk of modern cyber attacks like phishing. Even the strongest passwords can be guessed, stolen or intercepted, and once this happens, bad actors can easily bypass legacy forms of multi-factor authentication (MFA) and access personal information.
Organizations largely understand the risks of depending solely on passwords for online account protection and are looking for ways to become more cyber resilient. Progress is certainly being made: the UK Government recently introduced regulations to safeguard consumers against hacking and other cyber attacks, including prohibiting smart device manufacturers from setting weak, easy-to-guess default passwords such as ‘12345’.
However, more needs to be done to achieve true cyber resilience and resistance to phishing attacks. They are the number one cause of successful cyber attacks today with over 80 percent of attacks resulting from stolen login credentials.
As awareness of password-related cybersecurity risks grows among individuals and organizations, further regulations are anticipated worldwide. Ultimately, the most secure option is to eliminate passwords entirely in favour of phishing-resistant authentication methods and focus on developing phishing-resistant users.
Regional director (UK & Ireland) at Yubico.
Towards a passwordless future with passkeys
Passwords, which rely on memorized shared secrets, urgently require a more secure alternative. The proliferation of passkeys represents a significant forward shift for authentication technology towards achieving this goal worldwide. Passkeys are often stored on devices like phones, computers or phishing-resistant hardware security keys. Using asymmetric cryptography, each passkey consists of a public and private key linked by complex mathematical formulas. The hosting site or application stores the public key, while the private key remains securely on the user’s device.
The adoption of phishing-resistant MFA, device-bound passkeys like hardware security keys is critical for robust protection against sophisticated cyber threats. These keys offer a reliable defense against remote attacks, making physical access non-negotiable for authentication. With 91 percent of cyber attacks beginning with phishing, secure and convenient authentication methods like these highlight the need to finally abandon passwords for good.
When logging into online accounts and services, authentication occurs through a validation process and a ‘handshake’ between the two keys. This approach addresses many of the vulnerabilities associated with traditional passwords. The good news is that passkeys are inherently phishing-resistant; they cannot be intercepted or stolen by remote attackers. Additionally, each passkey is specific to a website or app, which stops credentials being sent to phishing sites, even if the user is deceived.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Some applications or services supporting passkeys allow users to choose between synced and hardware-bound options. As they do not require a battery or internet connection, hardware security keys deliver reliable authentication in environments where mobile devices are restricted or unavailable to users.
Ultimately, the most secure method to defend credentials involves using device-bound passkeys stored on security keys. This offers a robust security solution for both consumers and businesses – especially those focused on stringent compliance standards.
What’s next for passkeys?
The mainstream popularity, growth and adoption of passkeys are set to grow over the coming years as individuals and businesses alike understand the significance of moving passwordless and using MFA solutions that truly prevent phishing attacks from occurring. They will form a fundamental part of best security practice policies within many organizations. With Apple, Google, and Microsoft already using passkeys internally to support staff, while adding support for passkeys for customers to access their sites, others are expected to follow their lead soon.
It is more urgent than ever for more platforms and services to enable passkeys and create a more secure internet for everyone. As passkeys continue gaining global momentum, this will hopefully result in the use of passwords declining and the success of phishing attacks significantly decreasing around the world.
Ensuring users are phishing-resistant is key to true cyber resilience
Increasingly though, organizations must do more than simply deploy the right security tools to maintain the highest level of security and eliminate phishing attacks entirely. Since the primary security control among enterprises has traditionally been to prevent phishing at the moment of authentication, rolling out new phishing-resistant authentication has seen user accounts enter a hybrid state with both phishable and phishing-resistant credential types available.
Consequently, as users move between platforms and devices, and across personal and corporate apps and services, the risk of falling victim to phishing attacks increases exponentially. Many conventional authentication techniques are inherently phishable meaning platforms and enterprises must improve and secure their processes for issuing credentials, registering devices, and signing into passkey providers.
However, more often than not, organizations temporarily default to phishable user registration and account recovery methods when a user is being onboarded or when their device is lost or stolen. This piecemeal approach creates convenient points in time for a phishing attack to unfold and heightens the challenges for enterprises in consistently safeguarding their systems and data, and even remaining compliant.
So, the secret to ensuring a user or employee is properly protected is focusing on developing phishing-resistant users. Rather than just a reactive measure, this is a proactive strategy to remove the risk of phishing by eliminating all phishable events from the entire user lifecycle.
To accomplish this, organizations must equip their employees with phishing-resistant MFA and establish phishing-resistant account registration and user recovery procedures for all. This is underpinned by using purpose-built and portable hardware security keys as the foundation for the highest-assurance security. Lastly, organisations must employ technology-driven solutions that reduce the reliance on user education, while also providing essential education on the principles and benefits of phishing-resistant MFA for corporate and personal use.
Secure authentication that moves with users across all devices, platforms, and services no matter how they work is not a pipedream, but a necessity in today’s fast-moving digital landscape. Phishing-resistance in registration, authentication, and recovery processes is paramount for cultivating phishing-resistant users. Doing so enhances cybersecurity resilience, reduces reliance on reactive measures, and effectively safeguards sensitive data and operations. It all starts and ends with deploying the highest-assurance modern hardware security keys and saying goodbye to passwords and other weak authentication methods forever.
We list the best business password manager.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Niall McConachie, regional director (UK & Ireland) at Yubico.