Beyond Passwords: Secure Authentication Solutions
Key Points
- Passwords are fundamentally weak because users choose simple, easily guessable strings, reuse them across sites, and inevitably forget even the stronger ones they create.
- This reuse creates a “single point of failure” where compromising one account gives attackers access to all of a user’s other services.
- Password managers can generate and store unique, strong passwords for each site, reducing the memory burden, but they still rely on a master password and are vulnerable to phishing and breaches of the manager itself.
- Because any system that stores passwords can be targeted, many experts advocate moving away from passwords altogether in favor of more secure, convenient authentication methods.
Sections
Full Transcript
# Beyond Passwords: Secure Authentication Solutions **Source:** [https://www.youtube.com/watch?v=f6LD9sDKQq8](https://www.youtube.com/watch?v=f6LD9sDKQq8) **Duration:** 00:11:31 ## Summary - Passwords are fundamentally weak because users choose simple, easily guessable strings, reuse them across sites, and inevitably forget even the stronger ones they create. - This reuse creates a “single point of failure” where compromising one account gives attackers access to all of a user’s other services. - Password managers can generate and store unique, strong passwords for each site, reducing the memory burden, but they still rely on a master password and are vulnerable to phishing and breaches of the manager itself. - Because any system that stores passwords can be targeted, many experts advocate moving away from passwords altogether in favor of more secure, convenient authentication methods. ## Sections - [00:00:00](https://www.youtube.com/watch?v=f6LD9sDKQq8&t=0s) **Untitled Section** - ## Full Transcript
hold on I'm entering my
password you won't tell anybody right
this is what a password looks like for a
security guy and we'll just let it
autocomplete if only it could do that in
the real world well a really good
password looks like this you can
remember that right piece of cake well
maybe not um what would be better than a
really good complex secure password I'll
tell you this no password would you like
that yeah let's get rid of the password
entirely but let's not compromise on
security is there a way to do that where
you can have security and convenience at
the same time sounds kind of crazy but
let's take a
look okay so what's the problem with
passwords well it turns out this is the
face of the enemy when it comes to
passwords it's people because if to
their own devices this is what people
are going to choose as their passwords
we know this because we can look and see
at when there have been password
breaches and look at what those
passwords were that were most frequently
chosen here's a favorite of mine yeah
people really choose that as their
password so people pick bad passwords
then they can't even remember their bad
passwords that they selected especially
if they were good enough to pick a good
password that's even harder to remember
and then what do they do they put that
same password on every single system
that they use so that if one of these
systems Falls then they all fall and all
an attacker has to do is figure out how
to get into one and then they can get
into everything into that person's life
so one of the options then that people
have looked at and it's a solid option
if you have to use a password is a
password manager let's take a look at
how that works so here we've got a user
and they're going to log into a piece of
software we'll call a password manager
and it's going to store strong unique
passwords for every single system that
they need to log into so there's a whole
bunch of these back here it keeps a
unique password for each one the user
does not have to remember that they just
have to know how to log into the
password manager and then the rest of
it's handled for them beautiful until
you consider the fact that we still have
these guys out here the bad guys and
what if this guy sends an email to this
person a fishing email that convinces
them to then click on the fishing
website which is a bad website and it
looks like a legitimate website they try
to log in they enter their password and
even if the password came from the
password manager even if it was really
secure this guy has now got your
credentials that's one problem another
problem what if this guy figures out how
to break into one of these systems any
of them the the password that you have
is stored in probably a hashed form at
least we hope it's been encrypted with a
one-way hash if not it's even worse if
they have that and they're able to then
later brute force and break that
password well then this guy still wins
so the fact that a password exists is
already a problem in the first place
because that password has to exist in
lots of different places potentially
here as well so that's the problem space
again passwordless if we can get rid of
the things entirely without compromising
security would be a better option let's
take a look at how we could do that so
authentication that is answering the
question who are you is based upon three
different things it's based upon
something you
know something you have or something you
are something you know would be a
password or pen something you have a
particular device for instance that you
carry around with you something you are
would be a biometric a measurement of
your physical characteristics and
multiactor authentication or
MFA is where we basically combine
multiples of these sometimes all three
sometimes just two and combine these
into a soup that then gives us higher
confidence that you are who you claim to
be okay let's take a look at what some
of the alternatives are and what we
could use these for and where their
strengths and weaknesses are now I'm
going to tell you this is going to be a
little controversal iial some of you are
going to disagree with the way I
characterize these there are a lot of
variables so I'm having to generalize so
give me a little space on this but this
is in general what I think about this
one possibility is to use get rid of
passwords and use a hardware token a
device a separate device that you carry
around with you some of the early
versions of these had an LCD display
with a six-digit number that changed
every 60 seconds or so and and you had
to keep that with you well from a cost
perspective not so good because you're
adding an additional device and that div
additional device gets lost or stolen
breaks uh has to be replaced and so
people were famous for losing these
things all the time from a convenience
standpoint definitely not convenient
because now that's another thing I got
to keep up with how about from a
security standpoint well security-wise
it was actually pretty good and you
could use this in combination as I
mention with multifactors but a lot of
times you might just use this by itself
and if you used it just by itself it
still might be more secure You could
argue than just a basic user chosen
password because people choose bad
passwords now how about another option
uh a one-time password a one-time thing
that is only used for a specific period
of time and then it times out a classic
example this you see these all the time
you go to login and then it sends you a
text message with a six-digit code and
so that um you know the cost of that is
not bad you know we can generate SMS
messages pretty easily sometimes we do
them in emails sometimes even an app
will pop up and do it but we'll take a
look at this example however from a just
general convenience standpoint well it
may or may not be very convenient that's
going to kind of depend on how the
particular implementation is done some
of the devices now are smart enough to
be able to read that automatically for
you and stuff it in on the field for you
in that case the convenience is not bad
you just have to wait a little while but
otherwise if you're having to type that
in it's not so convenient to do
something like that how about from a
security standpoint I'd say this is
pretty good it's definitely Improvement
because it's having to in fact prove
that you have something in fact we could
take a look back at these different
Alternatives and say this is based upon
something you have this is also based
upon something that you have um and and
so we're using these in addition maybe
to a password or in place of a password
uh then using a push notification to an
app is another application another
possibility you have an app already
installed on your phone you
pre-registered the phone and when you go
to log in it pops up a message on your
phone and you look at that and then you
basically unlock your phone with a pin
that you have chosen well okay how do we
think about this well the cost is not
bad most people have a a phone with them
already a mobile phone so we're not
having to deploy new devices that have
to be dealt with in that way um that
from a convenience standpoint again
pretty convenient because if if you're
like me your phone is rarely more than
uh arms length away from you most of the
time anyway so it's already there it's
not an additional device that you're
having to carry and then from a security
standpoint yeah I think it's better than
just a a a self-chosen password because
again people are really pretty bad at
choosing passwords and in this case now
we're combining so something you have
the pre-registered phone combined with
something that you know a particular pen
so you you use that then to uh to do
multiactor form and again no real
password although you could argue this
is a little bit like a password how
about a different form of this about a
push notification with a biometric so
the push notification pops up on your
phone then you either look at the phone
and use a facial recognition or
fingerprint re recognition or some form
of biometric so now we're combining
something you have along with something
you are and this how does this stack up
well again the cost is pretty low
because we can usually do this from your
mobile phone and most people have one of
those convenience you've already got
this sitting around with you I would
argue this gets actually more secure
than some of the other things because
it's going to be harder to replicate
assuming that the biometric reader is
good it's going to be harder to
replicate your face or your fingerprint
than it would be a six-digit pen so that
information could exist in multiple
places for instance and then finally the
one that I think is the best of these
alternatives uh would be Pho which is
the fast identity online standard I did
a video on this earlier so actually two
videos so go take a look at those if you
want to know more about how this works
but it's a cryptographic uses pki uh
along with a biometric for you to unlock
the cryptographic keys and then those
are exchanged and the beautiful thing
about this is there's no password stored
on the server there's no password to
steal therefore no password to fish so
it has it deals with a lot of the issues
that we saw with some of the previous
options that deal with passwords and you
don't have to remember anything in most
cases you just look at your phone and
unlock it and you're done so that's
something you have a pre-registered
device plus something you are multiactor
cryptographically strong how does this
show up on the score sheet well I'm
going to say it's cost pretty similar to
all these others in fact passwords by
the way are not free because the number
one call to most help desk is reset my
password and those calls are anywhere
from $ 20 to $50 a call so most
organizations are spending a lot on
passwords and just don't really realize
it then from a convenience standpoint
again doesn't get much easier than a a
push notification pops up I look at my
phone I unlock the phone that's it from
a security standpoint I'll argue this is
the one that is the most secure because
we're leveraging a lot of different
things here it's multiactor
authentication it's using a biometric
it's getting rid of a password there
therefore a password can't be stolen
because it never existed in the first
place so lots of possibilities here and
by the way if you want to you can sync
those keys across multiple devices to
make it simpler as
well okay now we've taken a look at some
of the more popular options to replacing
passwords in some cases they're used
along with passwords to strengthen but
they could be viable alternatives to get
rid of passwords and take those nasty
things out of your life all together
basically we in security are always
trying to balance the tradeoffs between
high security and high convenience users
love this uh and security people love
this anytime we get a chance to optimize
on both of those that's a win for both
sides then it's like we can have our
cake and eat it too and I do love cake
if you like this video and want to see
more like it please like And subscribe
if you have any questions or want to
share your thoughts about this topic
please leave a comment below