AI, Password Cracking, and the Shift to Modern MFA

The Need for a Passwordless Future: AI, Password Cracking, and the Shift to Modern MFA
Photo by Miguel Á. Padriñán from Pexels

Introduction

As artificial intelligence (AI) continues to evolve, it’s becoming increasingly easier for it to crack passwords. This alarming statistic highlights the need for a passwordless future, where modern Multi-Factor Authentication (MFA) methods like FIDO 2 replace traditional, less secure methods.

The Power of AI in Password Cracking:

According to HomeSecurityHeroes, even a seemingly strong password can fall prey to AI-powered attacks in a matter of seconds. In fact, 51% of common passwords can be cracked in less than a minute.

Hive systems confirms this and add that even a brute-force attack using a consumer-budget desktop computer with a top-tier graphics card, or leveraging cloud compute resources, can yield worrisome results.

With the rapid evolution in AI, it’s becoming more important than ever to start evaluating a passwordless future to ensure the security of our digital assets.

Why We Should Move to Passwordless?

A passwordless future offers numerous benefits, as outlined in this Help Net Security article. Moving to passwordless solutions can:

  1. Improve security by eliminating the risk of weak or reused passwords.
  2. Enhance user experience, as there’s no need to remember complex passwords.
  3. Reduce the cost and time associated with password management.
  4. Facilitate a more straightforward and secure remote work environment.

Oh nice, but why can’t I just use a password manager and with long complex and unique passwords?

While password managers offer protection against password cracking, they are not a foolproof solution. We will cover the advantages and disadvantages of password managers in a future article, but it’s important to remember that they are not a substitute for moving towards a passwordless future.

Ok, So why can’t I just use MFA?

That’s a great idea, and I already wrote about the flaws of traditional MFA methods and merits of modern secure ones here and here so I won’t repeat myself but I’ll continue to suggest adopting modern MFA, eventually as an in between step towards a passwordless future.

Conclusion

As the ease of password cracking increases, the need for a passwordless future becomes more pressing. By moving away from traditional password-based authentication, organizations can significantly enhance their cybersecurity posture and protect their valuable digital assets.

Ok, so I just have to go for passwordless and that will solve all the problems?

Well, no (sorry, I tricked you – that wasn’t the conclusion of the article).

It’s essential to be cautious and understand the limits of technologies when implementing passwordless and MFA solutions. For instance, simply using a prompt-based MFA can leave users vulnerable to MFA prompt flooding attacks or other social engineering attacks.

Imagine removing the password and having users susceptible to MFA flooding attacks, where the attacker doesn’t even need to steal the credential first.

Microsoft is aware of this issue, which is why they offer passwordless authentication and are enabling number matching MFA for all Microsoft Authenticator users (here I describe the difference between this method and the prompt-based approach).

The Need for a Passwordless Future – Real conclusion/recommendation

First, adopt a modern MFA solution, considering its potential limits. Then, start moving away from traditional password-based authentication. This way, organizations can significantly enhance their cybersecurity posture and protect their valuable digital assets.