Passwordless authentication for email

While email systems have long relied on passwords as their first line of defense for security, they have not proved a worthy adversary to attackers. Passwords have proven a weak method for authenticating a user’s identity. Why? Because attackers are frequently able to guess, hack or phish passwords. And once they have the user’s password, the attacker can then go after the user’s email which can house a treasure trove of important correspondence and intellectual property.
 
Verizon’s recent DBIR noted this in their report when they wrote:
 

Utilizing valid credentials to pop web applications is not exactly avant garde. The reason it becomes noteworthy is that 60% of the time, the compromised web application vector was the front-end to cloud based email servers.

 
In the wake of this problem, many enterprises are looking to combat the problems of weak passwords by using passwordless authentication. As the name implies, passworless authentication provides authentication of a user’s identity without the use of passwords. Passwordless authentication is a growing trend and one that Gartner Research has written will continue to grow.
 

By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.

 
One area in which passwordless authentication has a significant future is in its ability to improve email security. Stolen passwords are a significant problem for enterprises looking to maintain the security of their communications.
 

Stolen passwords and email hijacking

 
Stolen passwords are the method attackers use most frequently to hack email accounts. These passwords are gotten through variety of techniques. One of the most common techniques however is phishing.
 
In a phishing attack, a hacker will send a seemingly legitimate email to the user with a link that has them log into a spoofed site. When the victim logs into the fake site, the attacker is then able to harvest the user’s credentials and then use them to log into the user’s email account.
 

 
Attackers might also use credential stuffing to attack user email accounts. In this instance, hackers try numerous email and password combinations on a given site or service in hopes that one of the combinations will be the right one. These attempts are typically automated processes that prey particularly on people who reuse passwords.

 
In 2019 the above passwords were used millions of times in the UK
 
Often, large dumps of data are made available on public sites. For example, in January 2019 Troy Hunt wrote about Collection #1 which was a publicly available collection with over 1 billion email unique email and password combinations. All of this information was available in plain text on the cloud storage service MEGA. Through collections such as these, criminals are able to conduct large scale attacks on user email accounts.
 
Another technique attackers use is hacking into a database and stealing email passwords stored on the server. While you might think that in this day and age all passwords would be hashed and salted, this is not necessarily the case. Unfortunately, sometimes the companies don’t take security seriously or use weak hashes. At times,hashed and salted passwords can be bypassed when companies add overzealous logging capabilities, which record passwords in plain text. And with plain text passwords, the login information can be easily gotten from a database.
 
In some cases, attackers don’t even need to be particularly skilled at hacking to crack user passwords. There are numerous off the shelf hacking tools such as John the Ripper and Hashcat that enable attackers to crack passwords.
 
In the face of so many techniques to compromise email accounts, the enterprise needs an alternative method for securing user credentials.
 

What is Passwordless?

 
Traditional methods for proving identity rely on something you know, something you have or something you are. Solutions like passwords rely on something you know such as a string of letters, numbers and special characters. By contrast, passwordless authentication provides proof of identity without using a string of characters through the use of one-time password generators, hardware tokens, a user’s biometric signature, a knowledge-based authentication such as the answer to a question, or a cryptographic key.

 
PreVeil, for example, uses a private cryptographic key stored on the user’s device to provide incontrovertible proof of a user’s identity. This key cannot be guessed like a password since there are more possible combinations for the password then there are atoms in the universe. Additionally, attackers cannot remotely access the user’s account with the private key because the key is only available on the user’s device.
 
At PreVeil, this private key is also how users of the platform are able to decrypt their end-to-end encrypted communications
 

How does passwordless authentication work?

 
There are multiple forms of passwordless authentication that are available in the market today and each provides a different way of proving the user’s identity. For example, one that has gained popularity is Yubico’s Yubikeys. Yubikeys provide cryptographic authentication with a physical key. Only the key owner can access their personal accounts like email, finance or legal on the web. Access to these accounts are only possible when the user presents their account password and, more importantly, their Yubikey.
 
Owners of a smartphone will also be familiar with the biometric authentication that is found on both iPhones and Androids. Recent versions of both the iPhone and Android support facial and thumbprint recognition. Biometric authentication systems capture data based on a thumbprint or facial markers and store it in a database. Then when the user tries to log in to their account, the device compares the presented information to the stored data. If the user input and the stored data match, the user will be granted access to whatever they are trying to use.
 
At PreVeil, passwordless authentication is provided through private keys stored on the user device. Private keys are how you prove you are you. Remote attackers cannot realistically log onto accounts because they cannot access the private key. Moreover, since encryption keys are orders of magnitude harder to guess than passwords and are not re-used by users between services, users are protected against attacks that may leverage passwords stolen from other services.
 

Benefits of Passwordless Authentication

 
In a world overrun with passwords, passwordless authentication provides multiple benefits. Here is a list of some of the most prominent ones:
 

  • Increased security: By eliminating the use of hackable password, enterprises are able to significantly increase the security of their emails.
  • Reduced cost from fewer security incidents: Without the ability to compromise user passwords and overtake the user’s account, the incidence of attacks is greatly reduced.
  • Improved user experience: Passwordless authentication ensures users no longer have to remember multiple passwords in order to access their accounts on a site. This can streamline user’s journey on any digital platfrom.

 

How passwordless authentication helps email?

 
The benefits of passwordless authentication for email are substantial. Given that stolen passwords are how attackers access accounts, eliminating the use of passwords provides significantly greater security for the enterprise.
 
Using passwordless authentication:
 

  • Ensures passwords can’t be guessed and then used on multiple sites
  • Ensures passwords can’t be brute forced
  • Ensures passwords cracked
  • Ends credential stuffing
  • Eliminates business email compromise and phishing

 

Is passwordless authentication safe?

 
In comparison to the use of passwords, passwordless authentication is a much safer method for authenticating identity. For example, the use of cryptographic keys stored on users’ devices provides a method of authentication that cannot be guessed or stolen.
 
Given that one in five enterprise users have passwords that are weak or shared, business are at significant risk for cyber attack. Providing an opportunity for authenticating without password is a much safer alternative.
 

Conclusion

 
Passwords are clearly the bane of email security. Passwordless authentication provides a strong and proven method for securing email without relying on a string of characters and numbers. If you’re ready to get started with passwordless authentication and encryption to secure your email, contact PreVeil.