NEW TECH: ‘Passwordless authentication’ takes us closer to eliminating passwords as the weak link

By Byron V. Acohido

If there ever was such a thing as a cybersecurity silver bullet it would do one thing really well: eliminate passwords.

Threat actors have proven to be endlessly clever at abusing and misusing passwords. Compromised logins continue to facilitate cyber attacks at all levels, from phishing ruses to credential stuffing to enabling hackers to probe deep inside of a breached network.

Related: The Internet of Things is just getting started

The technology to get rid of passwords is readily available; advances in hardware token and biometric authenticators continue apace. So what’s stopping us from getting rid of passwords altogether?

The hitch, of course, is that password-enabled account logins are too deeply engrained in legacy network infrastructure. For most large enterprises, it would be much too costly and too disruptive to jettison the use of passwords entirely.

That said, we may very well be in the early adopter phase of weaving leading-edge “password-less authentication” solutions into pliant areas of legacy networks. I recently had the chance to drill down on this trend with Trusona, a 3-year-old Scottsdale, AZ company that is pioneering a password-less multi-factor authentication platform.

I interviewed Sharon Vardi, Trusona’s chief marketing officer, about what the path forward looks like, in terms of someday eliminating passwords from digital commerce. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways.

History lesson

A couple of thousand years ago, Roman troops used passwords to decipher friend from foe as they patrolled the empire. In 1960, an MIT computer scientist named Fernando Corbató introduced the use of passwords in a mainframe computing project, not really to lock any intruders out. Corbató sought a simple way to let his colleagues store private files on multiple terminals – and passwords fit the bill.

As computers shrank in size, and then pervaded into our homes and everyday workplaces, passwords stuck around. Username and password logins emerged as the go-to way to control access to network servers, business applications and Internet-delivered consumer services. Passwords may have been very effective securing Roman roads. But they quickly proved to be a very brittle cybersecurity mechanism.

Thus, along came complex passwords, one-time passcode fobs, password vaults, two-factor authentication and multi-factor authentication – all to reinforce username and password logins.

“This was all done in an effort to take a very vulnerable system and make it more secure,” Vardi says. “Today there are some amazing, really good, solutions out there. But at the end of the day, if you look at what the two-factor authentication and multi-factor authentication markets have turned into, it comes down to just adding more layers on an inherently vulnerable mechanism; the first factor in all of those systems is still the username and password.”

Crippling losses

Despite advances in password best practices and supporting tools, password-based cybersecurity has remained precarious, at best.  Some 80% of data breaches continue to be  caused by compromised, weak and reused passwords, while 29% of all breaches, regardless of attack type, involved the use of stolen credentials, according to the 2019  Verizon Data Breach Investigations Report (DBIR).

Verizon has been doing this very substantive report, in which it culls hard evidence collected in actual data breach investigations, for 12 years. It started isolating passwords as a contributing factor in its 2017 report. Notably, the percentage of attacks in which passwords come into play over the past two years has remained constant.

Meanwhile, another reliable benchmarking study, IBM’s annual Cost of a Data Breach Study, quantifies the damage being wrought. According to IBM’s 2019 report, the cost of a data breach has risen 12% over the past 5 years and now costs $3.92 million on average. This is taking a heavy toll on small and midsize businesses; companies with less than 500 employees and $50 million or less in annual revenue suffered losses of more than $2.5 million on average, a potentially crippling amount.

Clearly, for every advance made in password security – i.e. password managers and two-factor authentication (2FA) – threat actors likewise have been swift to adapt and innovate. Just ask Twitter CEO Jack Dorsey, whose Twitter account was hijacked this summer in what’s known as a “SIM-swap” hack.

“This is a very popular type of advanced, targeted attack directed at very specific accounts of very specific people,” Vardi told me. “We’re seeing a lot of this in the financial industry where the bad guys are targeting people with access to money. “

A SIM-swap works like this: The attackers spend some time gathering readily available personal information on the targeted victim, then call up the victim’s phone service provider. Using social engineering, the scammer tells a story about losing a phone and needing help activating a new one. The crook persuades the telco employee to send a one-time passcode to activate the phone. To make the story convincing, the crook will provide personal information, like the last four digits of the victim’s social security number, home address, or even mother’s maiden name.

“All of that information is relatively easy to find on the Internet these days,” Vardi points out. “The attacker gets the SMS text that should have gone to the original owner of the account, and once that telco provider transfers that line over to you, all you have to do is log in and gain control.”

‘Push’ authentication

So how do companies even begin to think about getting rid of passwords?  Vardi recommends organizations begin by studying where they rely on passwords and begin to shift these password mechanisms away from customer and employee interfaces – where they are within threat actors’ easy reach – and into more back-end, internal systems. He explained that when legacy password mechanisms are no longer the linchpin of everyone’s daily routine and moved toward the back-end, they become easier to protect with more stringent policies that would otherwise add intolerable friction for most users – like administrators mandating much longer character counts, changed at more frequent intervals.

With Trusona’s technology, authentication via smartphones replaces the former password login screens. Let’s say an organization’s primary authentication process routes through the single sign-on (SSO) mechanism in Windows Active Directory (AD), a very common scenario. When an employee or customer goes to log in to their employer’s SSO, via Trusona, there is no prompt for a password. Instead, he or she clicks an icon requesting access, and a push notification requesting identity confirmation gets instantly sent to their smartphone.

The employee uses the Trusona app to login from there, such as tapping in the app for a pure smartphone use case, or by using their phone’s camera to scan a secure, Trusona-hosted image on their laptop screen. The Trusona app compares a unique, individual user record with the one-time image and other user attributes to authenticate and permit login, letting someone proceed through their SSO channel to e-mail, business applications and other sensitive programs.

Trusona claims that patent-pending “anti-replay” software prevents attackers from caching previous Trusona-protected logins to try and spoof the app’s identity screening. Crucially, the company’s entire identity play relies on the ubiquity and computing power of smartphones, which Vardi suggests people today are less likely to forget at home than their wallets. He emphasizes Trusona’s premise is to significantly beef up security for sensitive, gatekeeper logins like SSOs, Active Directory or online banking portals – ideally helping to slash password reset and other support calls to helpdesks, in the process.


“All you get is a push to your phone that says, ‘Hey, is this you trying to log on?’ And when you click, ‘yes,’ it authenticates you; it biometrically confirms that this is you, and passes an authenticated session to the underlying system,” Vardi says. “That’s it. You never trust the keyboard. You never have to type anything. Nothing is ever transmitted over the network, other than a one way hashed authenticated session.”

Changing behaviors

It struck me that what Trusona is doing is providing a path for organizations to not have to come to grips, just yet, with replacing their backend legacy systems that rely on passwords. At the same time Trusona’s platform takes the bold step of eliminating password usage at the general employee usage level.

Interestingly, the component that’s replacing the time-honored typing in of a username and password is a hybrid. Functionality-wise, it’s essentially a cross between a one-time passcode key fob and an accurate biometric reader, which now happens to be in the hands of any user of an iPhone or Android smartphone.

“The legacy systems, which you’re going to find in every single enterprise, just cannot function without usernames and passwords,” Vardi told me. “So we want to provide the ability for an enterprise to just eliminate attack vectors.”
The first step is a big one: to change engrained employee behaviors. Early adopters of Trusona’s technology are responding to compelling drivers, namely intensifying cyber attacks, as well as growing compliance pressures. Many companies have commenced educating their employees as part of requiring them to get accustomed to a new single sign-on paradigm.

Vardi told me he foresees a day when enterprises begin rolling out password-less sign-on systems to their customers and partners.

“So a bank that’s starting to use this internally, eventually will roll it out to their consumers because that’s a big attack vector, and then to all the different service providers across all industries,” he says. “And that’s really the way we see it evolving — from a B2B [business-to-business] play to a B2B2C [business-to-business-to-consumer] play.”

Like the Internet itself, passwords were never designed to support a high level of security. While the former is here to stay, it’s high time to begin sunsetting the latter. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone