Will Password Elimination Solve Your Security Problems?

Many cyberattacks start with a stolen password. What if there was nothing to steal?

4 Min Read
Password within code

Password proliferation has become a problem for both individuals and businesses. Most people have so many different passwords for both work and home that they frequently forget and have to reset them. To eliminate changing them so often, some people even scribble them on sticky notes or they use the same password over and over just to make things simpler.

While most cyberattacks begin with a phishing email, they don’t get very far until their phishing expedition has yielded a weak or a stolen password. According to Verizon, more than 80% of attacks stem from password problems. While approaches may vary, the prize is usually the same: Criminals want credentials, and, once they have them, the world (or, at least, your clients’ networks) is their oyster.

That’s why a number of companies (including Google and Microsoft) are trying to point their customers in the direction of a password-less future. They are turning to multifactor authentication (MFA) and other approaches to provide a more secure means of accessing data and applications.

FIDO takes a bite out of password dependence The Fast Identity Online (FIDO) standard, now in its second iteration, has emerged as one way forward. Both Google and Microsoft have embraced FIDO-based solutions to the password problem. FIDO provides a way to register a device or an application, and then use a PIN, fingerprint, facial image or other supported methods for logging in.

Google employees, for example, now use YubiKeys with embedded chips that connect to a device without a password. Microsoft has internally launched Windows Hello for Business and the Authenticator app for MFA sign-ons.

Windows Hello provides biometric authentication in Windows 10 using fingerprints or facial recognition. The latest version of Microsoft Authenticator replaces the password using MFA for logging in to multiple applications with a combination of facial recognition, fingerprint scanning or a PIN. The company claims this can reduce password compromise risk by nearly 99.9%.

The FIDO 2.0 standard now includes an advanced web authentication protocol and the Client to Authenticator Protocol (CTAP) for creating links between a mobile phone or security key and a client device.

Are we entering a password-free era?

There are some in the industry that believe the latest FIDO advancements signal the end of passwords. In a recent interview, Alex Simons, vice president of program management at Microsoft, said, “We’re at the point now where I feel really confident that we can declare the beginning to the end of the era of passwords. Within 120 days or so, there will be no reason why you should need to use a password with any Microsoft-connected application ever again.”

Many companies, however, may not quite be ready for the cultural change (or hardware expense) associated with physical keys, biometric scanners and other password-free approaches. Smart cards and biometrics can be costly and complex to implement and require training. Further, in some deployments, they still need to be combined with passwords.

Luckily, there are other MFA solutions that can help companies reduce the risk of password vulnerability.

The Barracuda Cloud Control portal, which is a management portal for some of Barracuda’s email security and data protection solutions, offers users the choice of setting up MFA as an option or a requirement, and adds a secondary token to the user’s login credentials. Single sign-on and password management tools can also continue to alleviate the problem in the short term.

Since most of your clients still live in a password-centric world, Barracuda MSP provides security training, threat intelligence, and AI-based analysis that can help clients take better care of their password protected data and applications.

In the long run, however, it would be wise for VARs and MSPs to start preparing their clients for a future in which there are fewer passwords to manage. Depending on the industries you serve, MFA that is tied to particular devices can eliminate many vulnerabilities–particularly the myriad phishing schemes that trick employees into coughing up their passwords–as well as the frustration associated with password management.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like