I frequently write about authentication, including PKI, multi-factor authentication (MFA), password managers, FIDO, Open Authentication, and biometrics. I have written dozens of articles on LinkedIn and have presented during many KnowBe4 webinars about different authentication subjects.
I have been professionally writing about authentication since at least November 2004, when I wrote my first ebook for Windows & IT Pro magazine on password attacks and security. This is to say that I think about authentication a lot.
Decades ago, I thought by now our world of authentication would have had only the best authentication solutions available. Instead, we still have nearly every authentication mechanism I knew of in the 1990s and passwords are still the number one authentication method. Sure, I see a lot more MFA solutions today, but if you added every non-password solution all together, they probably would not work on 2% of the world’s sites and services. It is a travesty.
I thought passwords would have been a thing of the past a decade ago. I think I wrote my first “Passwords Are Going Away” article in the early 1990s. I wrote my second one in the early 2000s. I now no longer write that article and I chuckle whenever I see someone else write it. Today, I think passwords may be with us another decade, if not forever. Why?
Well, for all the problems with passwords (e.g., overshared and often stolen), they work fairly well in many scenarios. Yes, they do get hacked and stolen all the time, but everyone, from a young child to a senior citizen, knows how to use them. You cannot say that for any other authentication mechanism. Show me any MFA method and I will show you a non-minor percentage of business-educated adults who cannot operate it.
Instead of MFA or some other better authentication solution (like FIDO) replacing passwords, what we have today is a situation where all of us have to use multiple different types of authentication, including passwords and MFA, and multiple types of MFA. Many of my web services and websites require that I use SMS-based MFA (despite the fact that it is easily hacked and stolen). A few websites and services have their own phone apps.
A few sites and services use push-based authentication (which has proven to be easily socially engineered and hackable). I use biometrics to log into my cell phone. I use a PIN to use the elevators at my company’s office building. I need biometrics to get into any of the office doors. And I used FIDO-based USB keys to log into our corporate network. Then for over a hundred different websites and services, I use a password manager, a single-sign-on menu, or passwords I made up.
My daily life is made up of dozens of different types of authentication. I think most people are this way. We did not get rid of passwords. Now we have to use passwords and a bunch of other things. Again, I think this is pretty standard for most people – different types of authentication for different apps, sites, and services.
With that said, I do believe that different types of authentication are better or worse than another. And I think I am the only person who has actually shared how secure the different authentication mechanisms weakest to strongest, are compared to passwords and against each other (see the figure below).
You may disagree with my rankings, but at least I was brave enough to put my picks down on paper. I compare all authentication methods against passwords. I think passwords are the weakest authentication that anyone should use.
Weak Authentication Methods
As shown in the figure above, you should not have authentication that consists of:
- Knowledge-Based Questions
- Email Address Confirmation Only
- PINs
- Pattern-Based Authentication
Knowledge-Based Questions are the ones where they ask you things like, “What’s Your Mother’s Maiden Name?” or “Your Favorite Car?” or “Your Favorite Third Grade Teacher?”. Knowledge-Based Questions are commonly asked when a user goes to reset their password or when the site/service simply thinks that additional authentication (beyond a password) is needed.
Knowledge-based questions are horribly insecure. Many of them can be looked up or guessed. A large percentage of people cannot even remember their own legitimate answers to their questions when later on asked to provide them. Years ago, there was a great Google white paper called Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. If contained, here are a ton of interesting facts, including:
- Some questions can be guessed on first try 20% of the time
- 40% of people were unable to successfully recall their own recovery answers
- 16% of answers could be found in the person’s social media profile
This is to say that personal knowledge-based questions are poor authenticators. I may never be able to guess your password, but if your personal knowledge-based question is “What Is Your Favorite Car?”, I am going to be able to guess that. For one, there are only about 100-120 different car models in existence at any one time, and models do not come and go that often. But more importantly, most people are not selecting a GMC Pacer or Ford Escort as their favorite car.
No, most people are going to choose something like a Ford Mustang, a Corvette, or a Lexus. I may not be able to guess your password, but I will probably be able to guess your favorite car in 20 guesses. And your mother’s maiden name is all over the Internet. Who ever thought that was a good personal knowledge-based question?
Email address only confirmation is a bad authenticator because people having their email account stolen from them is one of the most common cyber attacks. Microsoft said that one in every 250 of their customer email accounts are compromised each month. Since Microsoft has many hundreds of millions of active email accounts, that is a lot of compromised email accounts each year.
I am not a big fan of PINs. For one, most people reuse the same PIN no matter where it is used. Second, they are easy to shoulder-surf and see. And third, people often use recognizable patterns like their birthdates. PINs are easier to guess and steal than passwords.
Lastly, pattern-based recognition, where a user is supposed to trace a design or pick out different points on a screen or a picture, has proven to be weaker than even PINs and passwords. I have twice seen children, who were watching from across the room, come take their parent’s computing devices protected by pattern-based recognition, and successfully duplicate their surprised parent’s patterns.
They were able to see or make out the pattern even though they were across the room and often 180 degrees from the screen. Vendors of pattern-based recognition authentication solutions often try to make out how secure they are, but now that I have seen two young kids defeat them, I am not buying it.
Just say no to very weak authentication mechanisms. If you can choose and have a choice, do not use these weak authentication mechanisms.
Strong Authentication
On the other side of the spectrum, I am a big fan of phishing-resistant MFA. I do not love all MFA. Some MFAs are easier to hack, steal, and bypass than others. What MFA do I recommend avoiding? These are the MFA methods that myself and others consider too easy to hack, steal, and bypass:
- SMS-based MFA
- Any MFA tied to a phone number
- Push-based MFA
- One-time, password-based MFA solutions
- Voice recognition-based MFA
Note: If you are interested in how these forms of MFA can be hacked, here is a good article.
It is not just me saying you should not use them. The U.S. government has been saying not to use these weak forms of MFA since at least 2017. Today, there are at least two Presidential orders (from 2020 and 2021) saying not to use them. Today, NIST’s Digital Identity Guidelines discourage using weaker forms of MFA, although it still allows them.
My take on weaker forms of MFA is this: The whole reason we are moving from passwords to MFA is that passwords are so easy to steal, hack, and guess. It takes a lot of money, resources, and effort to move from passwords to any MFA option. So, if you are going to go through all that time, effort, and money, why not move to a more secure form of MFA? It does not make sense to move from passwords to a weaker form of MFA that is just as easy as passwords to steal, hack, and bypass.
There are many stronger, more secure forms of MFA. They include anything that is FIDO-enabled. FIDO is an authentication standard that includes phishing-resistant, passwordless and MFA solutions. Any solution that is truly FIDO-enabled (there are frauds out there), is a good authentication solution to use.
I like any phishing-resistant MFA solution. Sadly, most MFA, including the most popularly used ones, such as Google Authenticator and Microsoft Authentication, are not phishing-resistant. If you use MFA, choose a phishing-resistant solution. If you are not sure if the MFA solution you are considering is or is not phishing-resistant, check my list.
I am even a fan of old-school authentication options like smartcards. Smartcards with a PIN are strong, phishing-resistant solutions. I will say that I prefer multifactor solutions over single-factor solutions. I prefer multifactor FIDO solutions over single-factor FIDO solutions. I prefer multifactor passwordless solutions over single-factor passwordless solutions. I prefer multi-factor biometric solutions over single-factor biometric solutions. Are you sensing a pattern?
You have a lot of authentication solutions to choose from. Many times, you do not have a choice. You have to use what the site or service tells you to use. You have to use what your boss tells you to use. But when you have a choice, when you are allowed to choose what authentication solution you will use, when possible, pick stronger solutions over weaker solutions. And maybe…just maybe…one decade in the future, we will be rid of passwords.