Best practices and common sense dictate that we use unique, hard-to-guess passwords for each application that we use. However, most of us place convenience over security and give in to the worst password habit – using a single, easy-to-remember password across all our applications. This is simply because of the management of multiple passwords, each following different password policy rules, can be difficult. The problem with this approach is that our single password if hacked or even guessed successfully, can be used in a credential stuffing attack to gain access to several of our personal accounts.
In recent times, however, going “passwordless” has become possible, giving us iron-clad security without requiring us to remember multiple passwords. This has been made possible by push-notifications which carry OTPs combined with biometric verification. With most smart devices coming with facial and fingerprint recognition capabilities, it has now become easy for companies to authenticate users safely without getting them to enter passwords.
This is where Web authentication or WebAuthn helps enterprises – users can use a personally assigned YubiKey, or any biometric identifier, to access a network or application. With WebAuthn, the private keys of a person need not be stored on the device which is available to the browser. This method is better by leaps and bounds when compared to password-based authentication with respect to ease-of-use as well as security.
WebAuthn does not necessarily mean “no passwords”
While WebAuthn can be an attractive replacement for passwords in most cases, the need for passwords cannot be dismissed for a few use-cases. For example, what if a user forgets their hardware-based authentication device? To accommodate this and a few other account-lockout scenarios from affecting productivity, passwords are necessary as an alternative method of authentication. Another important use case which requires passwords is when an account is being created as a user’s biometric information would not be present in the system.
Despite WebAuthn drastically improving network and application security, organizations still need to pay attention to the weakest link mentioned in the use cases above. With companies who have already implemented WebAuthn, attackers target users who are in the first step of creating an account with an application or network. At this point, when a hardware authenticator hasn’t been assigned to a user and the account has not come under the WebAuthn umbrella, it becomes easy for an attacker to grab the credentials by using the reset links. With this type of attack, it becomes easy for attackers to prevent legitimate login requests from gaining access.
To prevent such attacks, you can establish a set of rules which could require users to create an account only using your organization’s network or limit the account creation time to a few minutes for critical applications. This will ensure those suspicious incidents are immediately noticed. While WebAuthn as a process has not reached perfection, it is still the right direction to be headed towards for network and application security as it is more secure than the username-password combination.
At CloudNow Technologies, we understand the importance of network and application security and have developed Akku, a highly efficient network security solution. With its multi-factor authentication feature, Akku can rightly complement your WebAuthn efforts to minimize the use of passwords. To know more, get in touch with us now.