Passkeys and the Future of the Password - Part 1
This is the first part in a series of posts where we talk about passwords, its issues, and passkeys, the industry’s solution to password issues. The rest of the posts will be linked here when posted.
Part 1 - The Human Factor (current)
The combination of username and password has been used to authenticate users since the beginning of computing systems. The username is something that is public, and the password is something that is private to the user and stored somewhere. Sometimes it is stored in the user’s brain; sometimes it is stored on a piece of sticky note stuck onto a monitor; and sometimes it is written in a notebook. Assuming there are no other flaws in the system, then the security of a user’s account largely depends on the security of the account’s password. If we go beyond the username and password, then different system design decisions is going to influence the security of users’ accounts, especially with respect to how account information is secured. And unfortunately any weakness in the password and security design of the system can lead to the compromise of a user’s account, and potentially the entire system.
Enter passkeys, which is supposed to be the tech industry’s solution to the issue of using username and password-based authentication systems. It is important to understand how we got here, what passkeys are and why the tech industry believes it will help with security.
The Human Factor
The human factor plays a huge role in the security of the username and password, and is a huge reason why passwords have never worked well for security purposes.
“Password123”
First, the user needs to come up with a password. For a lot of people, they are going to stick to things they know. Some common things people use as their password include:
The name of a loved one, usually their significant other
The name of their pet
A sport they like or play
Some word in the language they know
The word “password”
“123456” with more or less the same pattern
Personal information, such as the user’s or a loved one’s birthday
Some people might use some slight variation on the above. For example, replacing the letter “o” with the number “0”, or replacing the letter “l” with the number “1”.
This is not nearly enough to make an account secure as it is too easy to guess. And time and time again, we see simple passwords such as “123456”, “qwerty”, or “password” used by millions of users around the world, even in 2023.
Simple passwords are susceptible to several issues.
Brute force attacks
There are now many modern techniques to attack accounts with simple passwords, but before they were invented, attackers used brute force attacks. Simple brute force attack is a technique where attackers just blindly use all the known characters and try all permutations. For example, if we take the English alphabet and only use the lowercase letters, then an attacker would try “a”, then “b”, “c”, “d”, and when the attacker gets to “z”, there are no more letters to use, so they start using two letters, so “aa”, “ab”, “ac”, and so on until the attacker figures out the password.
An improvement on a simple brute force attack is a dictionary attack. As the name suggests, it uses words in the dictionary as the password. This plays well into the human factor, as a human is not very likely to use a random password such as “ijoxnqlzs”, and is more likely to use a password such as “hockey”, “password”, and “game” as they are more familiar and easy to remember. And this familiarity makes the password easier to guess, and thus not secure.
Standard Password Lists
The second issue comes from many years of successful attacks, including brute force attacks. As breaches happen year after year, attackers and security analysts alike have amassed a huge pool of common passwords. These common passwords have now been compiled into standard lists that are publicly available.
From a legitimate use perspective, these standard password lists are used to perform security testing so that common usernames and passwords are identified, changed, and become more difficult to guess, thereby increasing the security of the identified accounts and sometimes the systems they are a part of. But more importantly, these password lists emphasize the need to not use simple passwords.
From an attacker perspective, these lists make it easy to compromise user accounts with common usernames and passwords without going through different permutations of characters, thus making a successful attack much faster. In modern terminology, dictionary attacks now include these password lists or previously compromised passwords, as they are now in a “dictionary” of known passwords people use.
Strict Password Policy
With the industry realizing simple passwords were too insecure, businesses started to enforce password policies, and consumer-facing applications soon followed. For a while, you would see password policies with requirements that look something like the following:
Have 8 or more characters
Uses uppercase and lowercase letters
Includes at least 1 symbol
Includes at least 1 number
Not simple passwords such as “123456”, “qwerty”, etc.
While policymakers mean well with this password policy, in reality, it is only marginally better than having no policy. For example, rather than using “password”, using “Passw0rd!” would satisfy the policy. Attackers figured out users were only making minor changes to their existing passwords, and adapted their password lists accordingly.
Change Passwords Periodically
This is another one of those policies that did not have the intended effect. Encouraging users to change passwords periodically was designed to keep attackers guessing as user passwords would not stay constant. However, what users ended up doing is, once again make minor changes to their password. For example, if I started with the word “hockey”, and I am asked to change my password, then I might change the password to “Hockey1!” to satisfy the password policy above, but then at the next forced change, I would change the password to “Hockey2!” and so on. Once again, attackers figured out users were making these minor changes, and adapted accordingly.
Changing passwords periodically created another problem, and that is users forget the password they change to (although even without changing periodically, some users still forget their passwords). This led to authentication systems implementing a password reset feature in order to reduce helpdesk calls whenever users forget their password. Unfortunately, poor implementations of the reset password feature have been abused to gain access to accounts, which we will talk about in the next part of the series.
Multi-factor Authentication
Surprise! We still had not solved usernames and passwords getting compromised.
The security industry eventually came up with something outside of the username and password, called Multi-factor Authentication (MFA).
MFA is a method where you use multiple “factors” to log into a system. So, rather than relying solely on a username and password combination, the user needs to have more than one “factor” in order to be granted access to the system. “Factors” consist of the following:
Something you know - this is something the user remembers, such as passwords and PINs
Something you have - this is something that is in the user’s possession, such as a phone, or a special piece of hardware
Something you are - this is something that are part of the user, such as their fingerprint, face print and iris print
The premise is that because you need to have multiple factors, which are independent, that belong to the user, it is much harder for an attacker to compromise the user, even if one of the factors is compromised. The attacker would have to compromise two (or whatever the amount of factors the authentication system demands) factors in order to compromise a user’s account.
Most people are probably familiar with SMS-based MFA (where the user registers their phone number with the authentication system, and codes are sent by text message to this number), One-Time Password (whether with a dedicated piece of hardware, called hard token, or on a smartphone, called soft token), or push-based MFA (where the user installs an app on their smartphone, registers it with the authentication system, and an approval request is sent to the user). These all have technical issues, which we will talk about in the next post, but from the human perspective, a human can be tricked into inputting the authentication codes or approving MFA requests. One of the phenomenon related to MFA is called MFA fatigue, where attackers bombard the user with high amount of push-based MFA requests, and users, who just want to be left alone, eventually approves the request as it makes the requests go away. Unfortunately, that also means the attacker has bypassed the user’s MFA and got access to their account.
In other words, traditional MFA methods are not perfect and still may allow an attacker to compromise a user’s account.
Takeaways
The main takeaway here is that humans are not very reliable in terms of creating and remembering something strong enough for security purposes, and can be easily tricked to bypass protections. That is why the systems that the security industry has come up with, such as usernames and passwords, password policies, periodic password changes, and traditional MFA have not been very effective in combating compromise of user accounts.
In the next part of the series, we will look at some of the technical aspects of authentication systems and how they evolved.
References
https://www.ctvnews.ca/sci-tech/do-you-use-these-passwords-so-do-millions-of-others-according-to-a-top-200-list-1.6155340
https://www.dashlane.com/blog/ten-most-common-passwords
https://ca.news.yahoo.com/most-common-passwords-2021-180000762.html
https://github.com/danielmiessler/SecLists/tree/master/Passwords
https://www.fortinet.com/resources/cyberglossary/brute-force-attack
https://identitymanagementinstitute.org/7-hacking-password-attack-methods/
https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/nists-new-password-rule-book-updated-guidelines-offer-benefits-and-risk
https://www.okta.com/identity-101/why-mfa-is-everywhere/
https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/