When will we get rid of passwords?

Issue 2 2021 Information Security

Passwords are inconvenient and create numerous security vulnerabilities, so why can’t we just replace them? The short answer is that there’s no better method. Yet.

Companies are beholden to their users and while most users claim to value security over convenience, their actions speak otherwise. As a case in point, research conducted by Google suggested that even when users have experienced their accounts being taken over, fewer than 10% will adopt multifactor authentication (MFA) because of the associated complexity and friction.

All authentication is a balance of usability, security and deployability. To replace passwords, a new solution must equal passwords on all three fronts and exceed them on at least one. Trading off one set of advantages for another will not be enough to incentivise both organisations and users to switch. So, what can we do today to ease the password-driven bottlenecks and edge ever closer to friction-free nirvana?

A better MFA

A hypothetical solution to our maximisation problem is invisible multifactor authentication (iMFA). Unlike the MFA solutions of today, which typically rely on a password combined with an SMS or one-time password via email or a physical token, iMFA would rely on factors that are invisible to the user. Specifically, it would collect and process the maximum number of effort-free signals. Let’s break that down.

Maximum number. Web authentication is converging on a non-binary authentication model where all available information is considered for each transaction on a best-effort basis. All of the context of a user’s interaction with a website can be used to grant the best visibility into a user’s risk profile.

Effort-free signal collection and processing. Security should be provided on the backend so it doesn’t impede customers. By providing security without customer impact, companies can mitigate threats at minimal cost without introducing friction and upsetting users. For example, most email providers have settled for approaches that classify mail based on known patterns of attacker behaviour. These defences are not free or easy to implement, with large web operators often devoting significant resources towards keeping pace with abuse as it evolves. Yet, this cost is typically far less than any approach requiring users to change behaviour.

iMFA could be implemented with a combination of tools like WebAuthn and behavioural signals. The credential storage and user verification can be securely provided by WebAuthn and the continuous authorisation can be augmented with behavioural signals. The traditional MFA factors  ‘something you know,’ ‘have’ and ‘are’ - come from WebAuthn. And the newest factor, ‘something you do,’ comes from behavioural signals, including new types of biometrics.

Further, generating this variety of signals requires just a single gesture from the user, which is far less effort than entering a password. By combining these methods and constantly re-computing trust through machine learning, we can achieve the rare simultaneous outcome of increased security with decreased user friction.

An interim solution

But iMFA cannot replace passwords overnight. Change-resistant users will need a gradual transition. Websites will still have to incorporate a solution like WebAuthn into their authentication protocols. Without pressing urgency from a specific security threat, many sites will likely take their time adopting this standard. Furthermore, the integration process for a behemoth like Amazon could be extremely complicated, which is likely why there has been initial support from browser companies but not from e-commerce companies or social media sites.

If adoption of a new method will take years, what should businesses do in the meantime? Outlast the attackers by denying them their most precious resource: time. Attackers conducting credential stuffing are usually financially motivated and don’t have infinite capital. If an organisation can significantly increase the time it takes them to monetise their attacks, most cybercriminals will abandon the pursuit in favour of weaker targets.

Introducing more time into the credential stuffing kill chain

A good first step is to make credential spills more difficult to decode. It might seem obvious, but every company needs to upgrade their password security methods. If passwords are being hashed with MD5, organisations need to upgrade to something more secure like bcrypt. This would ensure that when an attacker manages to breach their database, it will take a reasonable amount of time for attackers to crack the compromised credentials before they can even launch an attack.

Organisations should also explore how they can force attackers to develop unique attacks for each target. Suppose a sophisticated attacker has stolen 100 000 decrypted credentials that they are fairly confident no one else has access to, at least for the moment. The attacker knows that 100 000 fresh credentials should lead to, on average, around 1000 account takeovers on a large website.

Now, for such a sophisticated attacker, taking over 1000 retail accounts might not be worth the several weeks of time it would take to develop, test, launch and monetise the attack. However, it would be worth their time to attack multiple targets simultaneously, breaking into tens of thousands of accounts at once. The key would be to find companies that could be attacked using the same software - in other words, targets with similar infrastructure.

As a result, this attacker targets not just one company, but several simultaneously - in this case, a retailer, bank, social media company and ride-hailing mobile app. They have developed an attack that targets the Android version of mobile apps that have been built on the same framework. Their attack is very sophisticated, not re-using any resource more than twice, evading any rate-limiting measure the targeted company has implemented. Yet, while the attacker was too sophisticated to re-use something like an IP address when attacking a single target, they didn’t think they would be caught recycling resources across different targets.

We know this is how attackers think because this exact situation occurred in 2018 to four of Shape’s customers. Because they all operated on a shared defence platform, an attack on one of them was, in effect, an attack on all of them. Because the attacker recycled resources and behavioural patterns across all four companies within a very short time period, Shape was able to very quickly gather enough data to identify the attack. Thus, bundling the attacks actually worked to the attacker’s disadvantage, but only because intelligence was shared across different targets.

Don’t give up

It is impossible to detect 100% of attacks instantaneously 100% of the time. What is possible is to make attacks so costly that attackers give up quickly or even try again. Cybercrime is a business, attacks are organised based on a predictable rate of return. If there is one thing that holds true across the worlds of cybercriminals and businesspeople, it is that time is money.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Want effective Attack Surface Management? Think like an attacker.
Information Security
Effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure by knowing their environment, deploying a structured approach, leveraging capable tools, and addressing both internal and external risks.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
POPIA non-compliance puts municipalities at risk
Information Security Government and Parastatal (Industry)
Digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
Welcome to the new cyber battleground
Information Security
The Iran-Israel conflict is rapidly redefining modern warfare, pushing the boundaries of cyber capabilities and creating a new, borderless digital battlefield. Fortinet’s CISO, Dr Carl Windsor, offers a critical, in-depth analysis of the escalating tactics and global implications in his latest report.

Read more...
African industries may overestimate cyber defences
Information Security
] A significant perception gap exists in security awareness training: 68% of leaders believe training is tailored to roles, yet only a third of employees feel adequately trained. Many organisations only conduct annual or biannual generic training that may not effectively change behaviour.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Cybersecurity and insurance partnership for sub-Saharan Africa
Sophos News & Events Information Security Security Services & Risk Management
Sophos and Phishield Announce first-of-its-kind cybersecurity and insurance partnership for sub-Saharan Africa. The SMARTpod podcast, discussing the deal and the state of ransomware in South Africa and globally, is now also available.

Read more...
Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.