Passwordless Authentication vs 2FA: Are They Equal in Enterprise Security?

SDO Marketing Staff | May 12, 2020

Enterprise security is a fight to the death. It’s rough out there! Passwords are ridiculously easy to guess, and the ones that aren’t are almost as easily stolen. Just look at the countless high profile server breaches that leaked millions of end-user passwords over the years. It’s banks and businesses, not just consumers, that end up paying when hackers use stolen credentials to raid bank accounts or buy out the internet with stolen credit cards.

Two-factor authentication (2FA) to the rescue, right? Traditional 2FA is the accepted standard of authentication for almost every enterprise service and application, including company and organization portals and terminals. But while some companies race to “catch up” with this level of security, in many ways, traditional 2FA is already a thing of the past. How does it measure up against passwordless tactics? Let’s let them slog it out:

The defending champion: password + second Factor

With 2FA, an individual has to provide two “proofs of identity” in order to log or unlock a device. To access a company’s network remotely, via a corporate website, portal, VPN, server (usually the job of an admin), or even in-house via computer, users are generally required to submit a password. The second factor consists of one of the following: a token; security keys/FIDO2 devices; a push notification; biometrics; or OTP via push or SMS. With 2FA, individuals are tested on something they know (like a password), something they have (a device that receives a one-time password, a security token, etc.), or something they are (like FaceID) before being allowed entry.

But the implementation of 2FA – or even 3FA, where feasible – doesn’t solve the fact that the “star” of the authentication show remains the poor password. That means that the work of hackers is already half done; the only thing they have to figure out is how to beat the ostensibly “difficult” second factor, either the OTP, Token, push, or the biometric system. Yet even a second factor is vulnerable, as will be described below; creating a situation in which we are using a relatively weak second factor to “protect” an even weaker first factor. Traditional 2FA isn’t cutting edge; it’s already obsolete when it comes to securing enterprise structures and assets.

Forget the “first factor”

The “security” of passwords is negligible. In 2019 alone, there were 3,800 breaches exposing an incredible 4.1 billion compromised records – and those are just the ones that were publicly disclosed. This is chiefly due to poor password hygiene. Add to that the recent massive credential dumps that have left organizations vulnerable to password-based attacks such as phishing, account takeovers, and credential stuffing, and you have a recipe for a very insecure security system.

Second factors follow suit

So what about second authentication factors?

  1. Hackers have had plenty of time to come up with “solutions” for 2FA, and there are numerous pieces of malware out there – notably Muraena, working together with Necrobrowser– that can hijack SMS, Push, Software Authenticators, OTP, and other second factors. These tools enable hackers to use session cookies placed inside a browser to access the accounts they’re associated with directly, without requiring authentication. With tools like these, hackers can upend the entire concept of software tokens – and with the automation such tools provide, even script kiddies can pull off 2FA attacks.
  2. OTP is one of the most popular methods of implementing 2FA, but hackers are increasingly taking over phone numbers by using social engineering to trick mobile phone carriers into providing them with a clone of a victim’s SIM card. These “SIM swapping” or “SIM hijacking” attacks enable hackers to take over cell phone numbers, allowing them, for example, to redirect a second-factor authentication code to a device of their own choosing.
  3. Privilege escalation using IMAP vulnerabilities for Gmail and Microsoft: With a plethora of passwords to choose from due to the uncounted massive credential dumpsin recent years, hackers are able to easily carry out “password-spraying” attacks on insecure legacy protocols, such as IMAP (Internet Message Access Protocol)-based email. IMAP protocol does not support multi-factor authentication, and recent studies have shown that as much as 60 percent of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks; about a quarter of those attacks were successful.

The challenger: passwordless authentication

To improve enterprise security beyond its current false sense of wellbeing with 2FA, first passwords will need to be eliminated. Numerous potential vulnerabilities are avoided by eliminating passwords, such as credential stuffing, password spraying, phishing and spear phishing, Corporate Account Takeover (CATO), and brute force attacks.

That being said, there are various methods of passwordless authentication, each with their own set of risks and challenges:

  • Hardware authentication devices (“hard” tokens)involve the use of a physical device – a smart card, Bluetooth token, OTP keyfob, or USB key – to authenticate users. The downside is that they can be expensive, easily lost or stolen, subject to man-in-the-middle attacks, and require a great deal of maintenance by IT departments.
  • Biometric scanners– Biometric authentication is considered to be very secure – but it can be just as vulnerable as passwords. Biological data is stored in servers and checked to authenticate the “owner” of that data, and if hackers get hold of that information, it could be devastating, such as in a recent breach that exposed a large biometric database. Biometric data could be subject to fraud by the use of deep fake technology to fool biometric scanners. In addition, biometric data actually has a great disadvantage compared to passwords; the latter can be changed, but not the former.
  • Software tokens – Soft tokens are stored on devices like smartphones, and can be used to authorize user authentication. They could be a solution to password, SMS, and biometric authentication problems. Smartphones are the perfect vehicle for soft token authentication, encompassing “what you have,” as well as biometric capabilities, all on a ubiquitous device and at a relatively low cost, backed by the world’s leading technological giants (Google and Apple).

Despite all that, any of these authentication methods is more secure than password-based authentication. So why do so many enterprises continue to rely largely on passwords for security? Call it the force of habit; many legacy applications and services are password-based, and users are accustomed to the idea of passwords. Letting go of passwords is a necessary change of mindset that will take a concerted effort on the part of enterprises. Enterprises will need to seriously consider these realities unless they want to find themselves thoroughly KO’d by hackers.

To learn more about Secret Double Octopus’ enterprise-ready and easy to deploy Passwordless Authentication solution please see our Solution Overview.