Microsoft will no longer require users to enter a password to access their accounts. Instead, they'll have to use an app, a verification code or facial recognition. Check it out ⬇️ pic.twitter.com/9I379X0MZL
— The Tonight Show (@FallonTonight) September 17, 2021
While removing passwords is the goal for IT leaders and security experts, as Microsoft recently announced, the replacements for passwords can be just as inconvenient. As this Microsoft announcement came out, Late Night TV Show Host, Jimmy Fallon had a hilarious reaction.
When we talk about "Authentication Nightmares", we talk about the fears end-users face when accessing their account. Like what Jimmy Fallon experienced, authentication nightmares include a variety of things, like user frustration going through multiple authenticator apps and emails to successfully log in. However, what we also associate Authentication Nightmares with is the fear that users have that a hacker will steal their authentication method and use it to compromise their account. Stolen or forgetting a password right before an important meeting, not inputting your OTP on time, and a hacker obtaining access to your SMS are real authentication nightmares that users experience every day.
Therefore, we asked around, "What's Your Authentication Nightmare?" and compiled a list of authentication nightmares and how users reacted to them.
In doing this, we went online in Cybersecurity Forums, professional cybersecurity LinkedIn groups, etc., and asked around, "What's your authentication nightmare?". We had common responses set up like forgetting a password right before an important presentation and missing it while you were busy locking yourself out of your account or filling out a cumbersome help desk ticket. Our objective was to determine which common authentication methods users find 'frightening', and especially in a more digital and secure environment, which ones were less reliable to users.
Survey Results
Here are the total survey results we found as to which nightmare was most common:
- Forgetting a password: 41
- Missing a One-Time Passcode: 11
- Losing a hardware token: 28
- Someone else logging in (SMS Takeover): 68
These numbers are out of 148 total survey results. We found it surprising that a lot of people find someone else logging in through an SMS Takeover the worst of the authentication nightmares, but we also think that it is because this deals with a direct data breach rather than the other options that do not directly mention a threat actor. Instead, those three are simply inconvenient on the surface while the SMS Takeover does deal with a direct cause from a hacker.
Additionally, forgetting a password was very close by, and we also think that it is because still, too many users have to use passwords for their login, regardless if they do not want to use them. Even in a highly digital and remote workforce, many organizations and applications still utilize passwords as the most common form of security, and when a user forgets their password, it hits closer to home as more users deal with forgetting a password and having to reset it more than losing a hardware token which only a small portion of the workforce uses or missing a One-Time Passcode.
We did receive a comment that defines the whole issue with passwords, "My authentication nightmare is when people are still mentioning passwords...". It is an unfortunate evil that will still be in place for a long time.
The Death of the Password
As a cybersecurity vendor, we have again and again preached the 'Death of the Password', noting that it is unreliable, hard to remember, and of course, not secure anymore - no matter how many special characters or numbers you add. In fact, the idea of adding so many special characters just delays the inevitable, and many users when faced with changing a password just re-use their old password and change one character.
Th1$isa$tr0ngPas$word1 → Th1$isa$tr0ngPas$word2
Unfortunately, once hackers found an iteration of this subtle password change, they would change the number and find that it worked! Passwords today are no longer an effective and secure method to securing your login, and they have become much more cumbersome to remember, yet it is not the strength of the password that concerns users as an Authentication Nightmare, but instead forgetting it at a crucial time. We released a video demonstrating the idea of forgetting a password before an important Zoom call, and this hits close to reality for many individuals. Imagine you have to showcase an important presentation to investors, maybe it is a new product showcase, maybe a Quarterly review, or just your financial reporting, etc. Seeing as many users, such as yourself have been used to remote working for the past year and a half, you give yourself five minutes before the start time. You make your coffee, grab your notes, get yourself ready for your webcam, etc.
Then, an executive sends you a private message to log on as the other executives and investors are in the call, waiting, and again, being used to remote working, you do not worry. You go to your Zoom login, and the following, red message pops up.
"You entered an incorrect username/password."
You have a little shocked reaction, but no need to worry. Everyone mistypes or misspells; it is normal. You enter it in again, going carefully.
"You entered an incorrect username/password."
Now, is when most users worry. You swore you typed it incorrectly, but then you think, "Ah, then maybe it is my other password." So, you try it again with a different password and...
"You entered an incorrect username/password."
Now, you are beginning to worry. Your boss or other executives begin messaging you about joining the meeting, and you have to reply that you forgot your password. You keep trying, but once you hit a couple more failures...
"Your account is locked out."
That is the true authentication nightmare of passwords. Not only can you not get into the meeting, but also, you are locked out of your account indefinitely. Inevitably, the executives message you, and this is not a good sign.
Missing a One-Time Passcode (OTP)
However, passwords are not the only forms of authentication nightmares. Missing a One-Time Passcode is an annoying problem that comes with implementing stronger security measures like multi-factor authentication. However, it is not that multi-factor authentication is the issue because there are many other secondary methods that are stronger and more reliable than one-time passwords, but instead, the problem lies within how One-Time Passcodes are delivered. OTPs came around when many individuals began touting the death of the password, and for a solution to stronger security, it worked. The way an OTP worked was the user would either use a third-party app like Google Authenticator or receive a text with a temporary login code. That code only worked one time, and it let the user through the login process. The reason why OTPs were effective as an authentication method was the fact that a hacker could not use the same OTP to log into the account. If the user received '123456', a hacker could not use '123456' to log in.
At first, OTPs replaced passwords entirely, and this one-time password saw some strengths, and then, later on, it was involved as a second form of authentication for many. This meant that users would type in their password and receive a text with the OTP.
The problem that we have with OTPs is that they are time-based, which for many is fine. If you were given five minutes to type in a short code, you could most likely do it. However, through its delivery and time issues, there are a select amount of people who cannot rely on OTPs. What do we mean by this? Well, depending on where you work and your phone signal, you may or may not be able to receive texts.
Let us explain this further. Most OTPs are still delivered through SMS text messages, but unlike using WiFi, these text messages are reliant on your phone's signal, so if your phone does not have a strong signal, you are not receiving those texts immediately. In fact, you most likely are receiving those texts with a weak signal after the time limit has expired. If an OTP's time limit expires, you have to request another, and this process begins again.
You request an OTP → you are not able to receive a text or notification → the OTP time limit expires
And this process cycles again and again. "Why does my OTP not expire later?" Well, by nature of what an OTP is, you do not want to give potential threat actors enough time to use your OTP, so that is why most OTPs are around a minute to five minutes. Additionally, even if you can receive text messages, OTPs cannot be delivered to the user if their phone is also dead.
This happened often to one of our own interns who either did not have enough signal to receive a text message OTP on time or when using a third-party authenticator app, his phone would be dead.
While One-Time Passcodes are not a major authentication nightmare, they are the most annoying out of the bunch to deal with. Mistyping a number or part of the code also causes the cycle to repeat again.
Losing a Hardware Token
If you have received a laptop or computer from your work, this may apply to you more. Hardware tokens like cards, keys, or other USB tokens are inserts that go into your device that signify your login. Back before the COVID-19 pandemic when many individuals were working in person, many employees had some card that identified them to security officials, and that same card or another token like it would give them access to their device by inserting it.
There are several reasons why having a hardware token and losing it are very frightening for those users, so we will take this piece by piece. For one, having a hardware token means that is your main source of logging into your device. Similar to how security will stop you if you do not have a badge that identifies you; you losing your hardware token means that you have no access to that device. If you do lose it, it means the company has to issue another token for you which costs the company time and money.
For two, losing a hardware token also means someone else has your access key to log in, so not only are you not able to log in and are costing the company time and money but also a potential threat actor can access your account and compromise the company data. It is very similar to losing the key to your home. If you lose it, you have to spend time and money going to a locksmith to get a new one, while in the meantime, a burglar can find your lost key and use it to break into your home.
This is a very scary authentication nightmare as it deals with a physical item that unlike its digital counterparts cannot be sent to the cloud or transferred through devices. If you lose it, you cannot reset it as fast as a password or another login method; it practically is gone for a while. The amount of time that you have to fix this issue is more than enough time for a threat actor to find the key and use it against your company.
Someone else logging in
Someone else having access to your account is a very scary authentication nightmare, but when we framed this scenario, we talked about 'SMS Takeover' where a threat actor had access to a user's text messages and from those text messages was able to login to their Postmates and Bumble account. However, there is also the possibility of accessing more important logins like financial/bank accounts or student-related accounts like university login. The idea of SMS takeover and someone else logging in came from the true story of a threat actor paying $16 to a service to intercept a user's text messages, and without the user knowing their messages had been intercepted for the same price as an NYC lunch, the threat actor could easily do more damage.
Intercepting text messages also has very bad implications for security measures as SMS OTPs as mentioned before can be intercepted by a hacker and can be used to log into social media accounts or even the bank account as aforementioned. Because a lot of secure data is sent via text message or notifications for security-related issues, threat actors have a lot of success focusing on users' text messages, and especially when the price was very affordable at $16, it is crazy how easy this issue is.
Additionally, many readers may ask, "But if the hacker had to pay $16 to subscribe to the service to intercept the text messages, could the police backtrack it to the hacker would have to use a debit card with their name on it?" And while this is true, the threat actor paid for a prepaid gift card in cash, so that information was not trackable back to them.
Is there an Authentication "Dream"?
The bottom line is that passwordless authentication does not equal a high level of security, and your users can get frustrated by these authentication nightmares. Single-factor logins like solely using a password are no longer sufficient to secure your login. This emphasizes the need for multi-factor authentication that allows your users to authenticate how they want.
Organizations today are being targeted by outside attacks and exploited due to their lack of security measures. President Biden's Executive Order on cybersecurity urged companies to adopt more advanced security features including multi-factor authentication (MFA). While each authentication method has its benefits, they also come with their own nightmares, and it is more important for your users that they have flexible options for MFA.