Password-less: Your Thoughts

Orchid

Level 1
Thread author
Jan 27, 2023
44
MalwareTips Community,

We all know passwords have been a topic in passwords leaked online/data breaches, how to make passwords secure, etc. However, only recently have there been talks about getting rid of passwords and going passwordless. Big Tech companies such as Google, Microsoft, and Apple are implementing password-less technology. However, what concerns me is the methods for password-less:

  • Biometric Authentication
  • Magic Links
  • One Time Passwords (OTP)
  • Push Notifications
  • Authentication Apps

According to the article linked below, Kobi Ben-Meir briefly discuss the benefits of going password-less and choosing the best method for people going password-less for businesses. However, these password-less methods are also not secure (from my point of view). A hacker can still steal the authentication of some of these methods. Truthfully, I would stick to using a password or passphrase and use multi-factor authentication.

So what are your thoughts on password-less?

The Benefits Of Passwordless Authentication And How To Choose The Right Method
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,050
Great with no need to remember passwords

Wait. Assuming you got 100 accounts. Can you remember what combination of

PIN Code
Swipe Patterns
Fingerprint ID...........remember you got 10 finger digits
Face ID (secure method)
Passphrase
Hardware security key
Authenticator app

for the 100 accounts?

I can't. So I still need to keep a hard copy of the 100 accounts with the various combinations as mentioned..........

🙄

Ok thats for the remembering part.

Now comes which combi type is the best.

1) Use of hardware security key and secure face ID or authenticator app. If the site/app permits the use of hardware security key then use it

2) Use of secure face ID (or fixed 1 or 2 fingers) and authenticator app

You only have 1 face and the authenticator app will generate numbers you don't need to remember. Forget the rest of the methods if you want to simplify your life. Some phones do not have secure face ID so just use your fixed 1 or 2 fingers will do
 
Last edited:
F

ForgottenSeer 98186

Benefits of fingerprint biometrics
  • Overall, fingerprint biometrics is considered to be highly secure and a common method of protection.
  • Fingerprints are hard to fake and more secure than a password or token.
  • Fingerprint data is stored directly in the device itself, making it more secure and less prone to potential privacy issues or data breaches.

What are the challenges of using magic links?
Magic links may offer stronger protection than passwords, but they come with several security blindspots to address:

  • Security is tied to the user’s email account. This presents its own set of security risks. Magic emails may be sent insecurely between mail servers and could be visible to employees at the user’s email provider. User inboxes are also easily accessible on unattended devices. To keep magic emails secure beyond doubt, users need to protect their email accounts with multi-factor authentication.
  • Admins have no control over link sharing. As with passwords, poor security behaviors introduce vulnerabilities. Admins have no way to see or prevent users from sharing confidential links with others.
  • Susceptible to man-in-the-middle attacks. Unless users access their emails through encrypted networks, hackers can intercept less secure connections and steal the session token from a magic link.

OTP (One Time Passwords) security tokens have their ups and downs

Hard tokens, like RSA SecureID, are a definite upgrade over SMS-based OTPs—relying on something the user has in their possession makes them less exploitable than knowledge-based authentication. What’s more, an OTP device such as Universal 2nd Factor (U2F) authentication security keys use asymmetric encryption algorithms to ensure that the OTP never leaves the token, effectively meaning it can’t be leaked.

However, the tangible nature of hard tokens also works against them. Users need to carry around another device, which can get lost, damaged, or stolen. This makes OTP tokens challenging for IT to maintain, particularly in large organizations, and can compromise security when in the wrong hands.

How Secured Is Push Notification Authentication?
The security of push authentication depends on the security of the application receiving the push notification and the device on which it is running. Security, therefore, varies by implementation and security posture of the host device.
 
Last edited by a moderator:

MuzzMelbourne

Level 15
Verified
Top Poster
Well-known
Mar 13, 2022
599
99.9% of the time I use a password because I'm forced to by the service/app provider. Sure, banking, legal, private... need a password and secondary authentication, but only if you are transacting online. But, 2FA to get to an article on Ubuntu Forums? Or keep track of your view history on Youtube, etc. Surely life would be simpler if we could choose yay or nay to enter into the whole password thingy in the first place.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
845
@Orchid You forgot to mention Yubikey Security Key,Titan Security Key,etc...and then who knows PassKey maybe passwordless login is future.;)
That's where we are headed. YubiKeys/Security Keys will become very common over the next 5 years. All corporate/business logins will need it and 2FA.

The threat landscape has already shifted, and attackers are now intercepting and phishing for MFA codes and push notifications.

It's the constant arms race between attackers and defenders or good vs evil.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,491
If it's easy to use, more will use it.

  • Biometric Authentication
  • Magic Links
  • One Time Passwords (OTP)
  • Push Notifications
  • Authentication Apps
I use all of the above, some services don't have/allow one or the other.

As for passwords themselves, if it's the case of Netflix forcing logins after 30 days to prevent account sharing. Passwords will be the weakest link. No one wants to type-in a 24 alphanumeric password using a TV remote (exaggerated). I'm not a Netflix account holder to know what account security they offer.
 
F

ForgottenSeer 98186

That's where we are headed. YubiKeys/Security Keys will become very common over the next 5 years. All corporate/business logins will need it and 2FA.
Hardware keys? Not so much
  • Companies do not want to pay for them (imagine a $250,000 budget for YubiKeys, they can get more comprehensive protection with that money)
  • Employees loose keys
  • SMBs are more likely to have a better experience with keys
2FA? Yes
  • It is already very common as part of identity management, such as Duo, Okta, Delinea, SalPoint, etc
 

Orchid

Level 1
Thread author
Jan 27, 2023
44
@Orchid You forgot to mention Yubikey Security Key,Titan Security Key,etc...and then who knows PassKey maybe passwordless login is future.;)

@piquiteco, I never really heard about YubiKey until recently and didn't know what it was until researching it yesterday. Thank you for mentioning it to me.

If it's easy to use, more will use it.


I use all of the above, some services don't have/allow one or the other.

As for passwords themselves, if it's the case of Netflix forcing logins after 30 days to prevent account sharing. Passwords will be the weakest link. No one wants to type-in a 24 alphanumeric password using a TV remote (exaggerated). I'm not a Netflix account holder to know what account security they offer.

@Ink, I use Netflix consistently, and Netflix doesn't have any account security, as far as I'm aware. Netflix has a Profile Lock where you have to enter a PIN to access your profile, and there is an option to enter your phone number, but I don't know if Netflix would use that as a form of authentication. I will do some research and get back to you on that.

That's where we are headed. YubiKeys/Security Keys will become very common over the next 5 years. All corporate/business logins will need it and 2FA.

The threat landscape has already shifted, and attackers are now intercepting and phishing for MFA codes and push notifications.

It's the constant arms race between attackers and defenders or good vs evil.

@Zero Knowledge, Maybe/Maybe not. YubiKey does have vulnerabilities too. The YubiKey validation server is cloud-based. If a hacker can get to the server, it might be game over, and you have to trust the company won't do any suspicious activity. From my research (so far), FIDO2/WebAuth is the most secure way to secure a passwordless account.

References
PrivSec - Multi-Factor Authentication
YubiCo OTP
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 98186

@Zero Knowledge, Maybe/Maybe not. YubiKey does have vulnerabilities too. The YubiKey validation server is cloud-based. If a hacker can get to the server, it might be game over, and you have to trust the company won't do any suspicious activity. From my research (so far), FIDO2/WebAuth is the most secure way to secure a passwordless account.

References
PrivSec - Multi-Factor Authentication
YubiCo OTP
The links above are for developers that wish to implement Yubico technology on their websites or in their applications.

Your interpretation of the documentation is incorrect. The Yubikey validation server for OTP is implemented on the web services server - for those that want to implement Yubikey as a 2FA method on their website.

The Yubikey you buy from Yubico is not sending anything to Yubico. A Yubikey stores no data, needs no network connection, and does not run on software.

The only contact ever necessary with Yubico is to register and activate the Yubikey remotely, which saves no user information.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,166
FIDO2/WebAuth is the most secure way to secure a passwordless account.
Absolutely! The advent of quantum computing will eventually make this mandatory (unless Quantum2FA is implemented).

A good overview of the stuff Orchid (love that name- I have ~40 myself) mentions can be seen here (with WebAuthn at 6:33):

 
Last edited:
F

ForgottenSeer 69673

I agree, Orchid is a nice non hostile looking name. I am in that boat for sure!!!!
 

kC77

Level 5
Verified
Well-known
Aug 16, 2021
231
I'm a big fan of the yubikey bio... Use it for every service I can, so much more secure.. quicker and easier than totp... Fido/webauthn no need to register it and unlike the normal non bio yubikeys you at least have the requirement of biometrics instead of just "any human can touch it"

I would worry about owning a non biometric yubikey about "if I was in an accident or incapacitated.. Or death..." With a standard key the only protection is the pin you have set.

With a non biometric key I'd really worry about storage and placement of my backup key..

With existing totp it was such a bind to open an authenticator app... Copy a code ... Sometimes waiting for it to timeout.. Then pasting it, that quite often I just click "trust this device/remember me"
While 2fa is good... Its the fact or saving that device that leads to a potential weakness.

With the yubikey bio and the supported services I have no need to "trust or remember" any device ... Just an extra prompt to tap my key and read biometrics for 2fa... Takes 2 seconds.


Sites still requiring totp seem old school... And often out of laziness if its generic site/forum or something non critical I'll Just "trust this device"
Even so this is only on devices I own and trust.

Yubikey bio..Amazing device... Highly reccomend.
 

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,545
You can always change your password, if something happens, but you can not change your face nor fingeprint, they could even get damaged, not to mention you can simulate any face or a voice and a fingeprint can be stolen from a video or a photo! A few months MS has a big outage, people could not use passwordless login for hours, MS suggestion was to use a password. :ROFLMAO:
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,050
I'm a big fan of the yubikey bio... Use it for every service I can, so much more secure.. quicker and easier than totp... Fido/webauthn no need to register it and unlike the normal non bio yubikeys you at least have the requirement of biometrics instead of just "any human can touch it"

I would worry about owning a non biometric yubikey about "if I was in an accident or incapacitated.. Or death..." With a standard key the only protection is the pin you have set.

With a non biometric key I'd really worry about storage and placement of my backup key..

With existing totp it was such a bind to open an authenticator app... Copy a code ... Sometimes waiting for it to timeout.. Then pasting it, that quite often I just click "trust this device/remember me"
While 2fa is good... Its the fact or saving that device that leads to a potential weakness.

With the yubikey bio and the supported services I have no need to "trust or remember" any device ... Just an extra prompt to tap my key and read biometrics for 2fa... Takes 2 seconds.


Sites still requiring totp seem old school... And often out of laziness if its generic site/forum or something non critical I'll Just "trust this device"
Even so this is only on devices I own and trust.

Yubikey bio..Amazing device... Highly reccomend.

Does it works on android phone? The website didn't say so


And how is it compared to the YubiKey 5C NFC without bio?
 
Last edited:
  • Like
Reactions: simmerskool
F

ForgottenSeer 98186

For FIDO2 that supports Windows logon, I have had good results with cheap Thetis keys:


For logins to Microsoft account managed devices and all the types of Microsoft cloud account logons - Office 365, Skype, OneDrive, etc - I think the only real option is Yubikey although there are other options such as Fetis:

 
  • Like
Reactions: [correlate]

kC77

Level 5
Verified
Well-known
Aug 16, 2021
231

Does it works on android phone? The website didn't say so


And how is it compared to the YubiKey 5C NFC without bio?
it works on my pixel 7 usb c needs to be plugged in as the bio has no nfc

the bio is much more basic, it only supports fido/webath but requires biomentric touch
the 5nfc has much more features fido/webauth/otp/challenge response/customizable slots etc and can be used with nfc ... way more features, but only requires a touch from any human which im not a fan of (unless you protect it with a really really strong pin.... then you would have to enter that each time)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top