As someone who spends a lot of time writing about cybersecurity, I often find myself at risk of sounding like a broken record when it comes to the frailties of using passwords to sign into digital services.
By now people are probably all too aware that passwords are an imperfect security solution.
The dangers of poor password hygiene have been well documented for years now and despite this fact, and a number of alternative solutions being available (passkeys, biometrics, single sign-on (SSO), and so on) we remain hooked on authenticating the old-fashioned way, but why?
One alternative to passwords that I’ve been using for a handful of digital services in my personal and professional life for the last few years is the magic link – and I’m pretty convinced of its efficacy, efficiency, and security.
A magic link is a URL with an embedded token sent to the user’s email address and when clicked it automatically logs them into the service they are trying to access. Simple right? They really make passwords feel like antiquated technology.
Instead of forcing the weary user through the all too familiar rigmarole of creating and recording a strong password for each and every platform they use on their computer, the magic link just necessitates they manage one password: the one for their email account.
Of course, it goes without saying that your email account should have at least one extra layer of protection, such as multi-factor authentication (MFA), but if you can ensure this is secure then using it to quickly sign into other services is a breeze, and I’m stumped why passwordless authentication is not more common today.
Today, most professionals, regardless of their specific role, are required to use a litany of environments and platforms. Multiple social media networks, a content management suite, analytics tools, development environments, and the inevitable unified communications as a service (UCaaS) in their daily workflow, can all very quickly accumulate to become an overwhelming sea of tools and accounts you need to manage.
Because these sessions usually expire each day for security reasons, most professionals will have to repeat the process of signing in every morning. This is tedious and only becomes more frequent over time as new services are onboarded.
I’ve found the programs in my daily workflow that use magic links, such as Slack, make this process seamless and instant. I would suggest that many enterprises are losing productivity and sacrificing their security by not implementing magic links across more elements of their software portfolio.
Resigning popular password-based attacks to the past
As people are forced to constantly create and record an ever-expanding list of passwords, the fatigue becomes all too real. It’s inevitable the average professional will get complacent the longer this goes on and give up on creating a unique, strong password each and every time.
This is what cybercriminals are banking on when they conduct their brute force, password spraying, or credential stuffing attacks, and magic links could remove these weapons from their arsenal.
Reusing passwords is a bad habit that most people can’t seem to kick. Research from Bitwarden, who surveyed 2,400 individuals in the US, UK, Australia, France, Germany, and Japan, found that a quarter admitted to reusing passwords across at least 11 accounts; this would make them prime targets for credential stuffing attacks if just one of these accounts was compromised and uploaded to a dark web hacking forum.
Password spraying attacks are another common entry vector. Last year, we saw even the biggest companies fall prey to a seemingly simple error. In January 2024, it emerged that the Russian threat group Midnight Blizzard had accessed emails from Microsoft’s senior leadership team, after compromising a legacy account using a password spray attack.
This proves that even firms of the size and resources of Microsoft are not infallible and fall prey to using basic or already compromised passwords, so why should your business be any different?
Password managers are often raised as the panacea to this problem. While I use one in my day-to-day life, setting them up is far from seamless. Once established, they also need constant updates and reconfiguring to ensure they detect login fields, sync across devices, and more.
Magic links, in my opinion, would mitigate the aforementioned attack vectors, and remove all of the added stress, and often cost, of managing hundreds of passwords for every single service users need to access on a semi-regular basis.
And the security benefits of using magic links are not just exclusive to people who use these services from the front-end. If a service uses usernames and passwords to authenticate users, then a breach of the database containing these credentials could leave their customers’ accounts at risk, as well as any other services they’ve reused these passwords with.
Even if these passwords are hashed there are still ways attackers may be able to decode the original password using rainbow tables or similar techniques, so hashed or not you don’t want this data falling into the wrong hands. So why not get rid of it altogether?
Implementing magic links also requires minimal changes to an organization’s existing infrastructure and they can be stood up with fewer resources than other security layers like MFA or physical hardware-based tokens.
Magic links are no silver bullet – but they’re halfway there
There are, of course, some caveats here. The email that delivers your magic link must be instant for the system to work properly. If you’ve ever had to wait for a password reset email you know how frustrating this process can be. Ensuring the login email arrives in your inbox quickly is imperative, or the efficiency of the system is totally lost.
The elephant in the room is the fact that by using magic links, any attacker with access to your email account suddenly has access to every service you use magic links to sign in with.
I would argue this isn’t necessarily a weakness with just magic links, however. For email-based authentication like magic links to be successful you need to ensure you have adequate security protections on your email account – but this really should be the bare minimum.
But even if you aren’t using magic links, the password reset option on most sign-in pages would mean most of your secure services are at risk if an attacker successfully takes over your inbox. As long as you are smart about keeping your email account secure and following a strong password policy, using magic links should be a very secure way to sign in.
Although I like the idea of going passwordless, it’s a ways off. In the short term, we can drastically reduce the cyber burden on workers through solutions such as magic links. Outside of core services that still require passwords and layers of MFA, there’s no reason to not embrace magic links on a massive scale.
Source link
-
-
-
-
-
-
-
-
