{"id":3463,"date":"2024-08-20T11:00:00","date_gmt":"2024-08-20T11:00:00","guid":{"rendered":"https:\/\/sectigostore.com\/blog\/?p=3463"},"modified":"2024-08-19T16:44:20","modified_gmt":"2024-08-19T16:44:20","slug":"passwordless-login-security-mistakes-and-how-to-avoid-them","status":"publish","type":"post","link":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/","title":{"rendered":"8 Passwordless Login Security Mistakes and How to Avoid Them"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Identity Defined Security Alliance (IDSA) reports that nearly <a href=\"https:\/\/www.idsalliance.org\/infographic\/2024-trends-in-securing-digital-identities\/\">85% of identity stakeholders<\/a> were directly impacted by identity-related security incidents in 2023. <a href=\"https:\/\/www.idsalliance.org\/infographic\/2024-trends-in-securing-digital-identities\/\"><\/a><a href=\"https:\/\/www.idsalliance.org\/infographic\/2024-trends-in-securing-digital-identities\/\"><\/a><a href=\"https:\/\/www.idsalliance.org\/infographic\/2024-trends-in-securing-digital-identities\/\"><\/a>Protect your data and systems by learning eight passwordless login security mistakes and how to avoid them<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.hypr.com\/resources\/report-state-of-passwordless\">$5,479,819<\/a>. This is the average cost organizations spent on data breaches caused by insecure authentication in 2023. It\u2019s enough to easily bankrupt many businesses. To make matters worse, the same Hypr report confirms that authentication-related attacks affected 69% of the firms polled.\u00a0<br>\u00a0<br>Adopting passwordless login solutions can help organizations mitigate the risks associated with traditional password-based access. But, if incorrectly implemented, these solutions can do more harm than good.<br>\u00a0<br>As the character Rocky Balboa said in one of his namesake movies: &#8220;The world ain&#8217;t all sunshine and rainbows.&#8221; So, let&#8217;s explore the most common passwordless security login mistakes to avoid and a few tips that&#8217;ll protect you from most of the digital world&#8217;s nasty storms.<\/p>\n\n\n\n<div class=\"wp-block-advanced-gutenberg-blocks-notice is-variation-info has-icon\" data-type=\"info\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><circle cx=\"12\" cy=\"12\" r=\"10\"><\/circle><line x1=\"12\" y1=\"16\" x2=\"12\" y2=\"12\"><\/line><line x1=\"12\" y1=\"8\" x2=\"12\" y2=\"8\"><\/line><\/svg><p class=\"wp-block-advanced-gutenberg-blocks-notice__title\">Learn the Advantages and Disadvantages of Passwordless Authentication<\/p><p class=\"wp-block-advanced-gutenberg-blocks-notice__content\"><strong>Related:<\/strong> <a href=\"https:\/\/sectigostore.com\/blog\/the-pros-and-cons-of-passwordless-authentication\/\">The Pros and Cons of Passwordless Authentication<\/a><\/p><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">7 Passwordless Login Security Mistakes and How to Avoid Them<\/h2>\n\n\n\n<p><a href=\"https:\/\/sectigostore.com\/blog\/what-is-passwordless-authentication\/\">Passwordless login solutions<\/a> are a wonderful way to verify your users&#8217; identities without requiring them to type their passwords. This method replaces passwords with more secure alternatives such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/sectigostore.com\/id\/email-signing-certificate\">Client certificates<\/a> (i.e., personal authentication certificates),<\/li>\n\n\n\n<li><a href=\"https:\/\/www.kaspersky.com\/resource-center\/definitions\/biometrics\">Bio<\/a><a href=\"https:\/\/www.kaspersky.com\/resource-center\/definitions\/biometrics\">metri<\/a><a href=\"https:\/\/www.kaspersky.com\/resource-center\/definitions\/biometrics\">cs<\/a> (e.g., fingerprint, retina scans),<\/li>\n\n\n\n<li>One-time passwords (OTPs), or<\/li>\n\n\n\n<li>PINs.<\/li>\n<\/ul>\n\n\n\n<p>Here\u2019s a quick overview of several of the most common passwordless security mistakes people make and what you can learn from them:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Passwordless Login Mistakes<\/strong><strong><\/strong><\/td><td><strong>Passwordless Login Issue Examples<\/strong><strong><\/strong><\/td><td><strong>Solutions<\/strong><\/td><\/tr><tr><td>\u200d1. Skipping Users and Customers\u2019 Identity Proofing<\/td><td>Not verifying a user\u2019s identity before granting him access to a new app or resetting a password.<\/td><td>Follow NIST <a href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63a.html\">digital identity guidelines<\/a>, use different verification methods, and manage identities correctly.<\/td><\/tr><tr><td>2. Insecurely Handling Your Certificate\u2019s Private Keys<\/td><td>Storing keys as plain text files, using the same key for multiple servers, sharing keys, and no key rotation.<\/td><td>Use unique keys, <a href=\"https:\/\/csrc.nist.gov\/glossary\/term\/key_rotation\">rotate them<\/a> frequently, and store them securely with <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-hardware-security-module-hsms-explained\/\">secure hardware<\/a>.<\/td><\/tr><tr><td>3. Opting for Less Secure Authentication Factors<\/td><td>Carelessly using magic links, OTP, SMS, push notifications, and biometrics.<\/td><td>Implement a PKI <a href=\"https:\/\/www.sectigo.com\/resource-library\/passwordless-authentication-guide\">certificate-based passwordless login<\/a> solution.<\/td><\/tr><tr><td>4. Underestimating Cybercriminals and Technology Advancements<\/td><td>Disregarding the dangers of social engineering and generative AI-based attacks. <a href=\"https:\/\/www.avast.com\/c-sim-swap-scam\"><\/a> &nbsp;<\/td><td>Opt for reliable biometric devices\/software, certificate-based passwordless logins, backup authentication solutions, and <a href=\"https:\/\/sectigostore.com\/codeguard\/backup\">have a backup<\/a> of your key-related data.<a href=\"https:\/\/sectigostore.com\/codeguard\/backup\"><\/a><\/td><\/tr><tr><td>5. Not Having a Plan B in Place for \u201cMurphy\u2019s Law\u201d<\/td><td>Lacking protections in case devices are stolen or lost. &nbsp;<\/td><td>Use <a href=\"https:\/\/sectigostore.com\/blog\/sha-256-algorithm-explained-by-a-cyber-security-consultant\/\">encryption<\/a> and <a href=\"https:\/\/www.techtarget.com\/searchmobilecomputing\/definition\/remote-wipe\">remote wipe<\/a> software, and have a secondary passwordless login solution. <a href=\"https:\/\/sectigostore.com\/blog\/sha-256-algorithm-explained-by-a-cyber-security-consultant\/\"><\/a><a href=\"https:\/\/www.techtarget.com\/searchenterprisedesktop\/definition\/hard-drive-encryption\"><\/a><a href=\"https:\/\/www.techtarget.com\/searchmobilecomputing\/definition\/remote-wipe\"><\/a><\/td><\/tr><tr><td>6. Assuming That There Won\u2019t Be Any Technical Issues Once Implemented<\/td><td>Ignoring biometric devices, network connections and software update-related issues.<\/td><td>Frequently t<a href=\"https:\/\/sectigostore.com\/blog\/what-is-white-box-testing-popular-white-box-testing-techniques\/\"><\/a><a href=\"https:\/\/sectigostore.com\/blog\/what-is-white-box-testing-popular-white-box-testing-techniques\/\">est<\/a><a href=\"https:\/\/sectigostore.com\/blog\/what-is-white-box-testing-popular-white-box-testing-techniques\/\"><\/a> passwordless logins, and have an authentication backup and a remediation plan in place. &nbsp;<\/td><\/tr><tr><td>7. Neglecting Security Misconfigurations<\/td><td>Overlooking Software <a href=\"https:\/\/owasp.org\/Top10\/A05_2021-Security_Misconfiguration\/\">misconfigurations<\/a> and default credentials. <a href=\"https:\/\/owasp.org\/Top10\/A05_2021-Security_Misconfiguration\/\"><\/a><\/td><td>Personalize usernames, passwords, <a href=\"https:\/\/owasp.org\/www-project-developer-guide\/draft\/design\/web_app_checklist\/handle_errors_and_exceptions\/\">error messages<\/a>, and settings, and disable unused features. <a href=\"https:\/\/owasp.org\/www-project-developer-guide\/draft\/design\/web_app_checklist\/handle_errors_and_exceptions\/\"><\/a><\/td><\/tr><tr><td>8. Ignoring Updates and Vulnerabilities<\/td><td>Sticking to legacy or unpatched systems and skipping vulnerability checks.<\/td><td>Keep all systems up to date and <a href=\"https:\/\/www.ibm.com\/topics\/patch-management\">patched<\/a>, and <a href=\"https:\/\/www.ibm.com\/topics\/patch-management\"><\/a><a href=\"https:\/\/sectigostore.com\/blog\/how-to-perform-a-website-security-check\/\"><\/a><a href=\"https:\/\/sectigostore.com\/blog\/how-to-perform-a-website-security-check\/\"><\/a>use automated security check tools like <a href=\"https:\/\/sectigostore.com\/sitelock.aspx\">SiteLock<\/a> and <a href=\"https:\/\/sectigostore.com\/website-security\/hackerguardian-pci-compliance-scanner\">HackerGuardian<\/a>.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">1. Skipping Your User\u2019s Identity Proofing<\/h3>\n\n\n\n<p>Of course, you know who your employees are. You\u2019ve personally hired Bob, and you see him nearly every day in the office. So, why should you waste time verifying his identity again before giving him access to a new app?<\/p>\n\n\n\n<p>Because if Bob works from home one day and asks to get access to a new application containing sensitive information, how can you be sure that\u2019s really Bob requesting it and not an attacker? Hint: you can\u2019t unless you verify his identity.<\/p>\n\n\n\n<p>Are we being paranoid? Maybe. But this very concern may have contributed to <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/mgm-resorts-ransomware-attack-led-to-100-million-loss-data-theft\/\">MGM\u2019s troubles and woes<\/a> in September 2023. <a href=\"https:\/\/x.com\/vxunderground\/status\/1701758864390050145\">According to VX-Underground<\/a>, an attacker impersonated an MGM employee to convince the support team to give him the credentials to access the corporate system. <a href=\"https:\/\/www.sec.gov\/ix?doc=\/Archives\/edgar\/data\/789570\/000119312523251667\/d461062d8k.htm\">MGM reported in its SEC 8K filing<\/a> that this attack led to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A massive data breach.<\/li>\n\n\n\n<li>$100 million in earnings losses.<\/li>\n\n\n\n<li>$10 million in one-time remediation-related expenses and legal fees.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"777\" height=\"1024\" src=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/vx-underground-mgm-social-engineering-shadow-777x1024.jpg\" alt=\"A screenshot of a tweet from VX-Underground's X channel. \" class=\"wp-image-3467\" srcset=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/vx-underground-mgm-social-engineering-shadow-777x1024.jpg 777w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/vx-underground-mgm-social-engineering-shadow-228x300.jpg 228w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/vx-underground-mgm-social-engineering-shadow-560x738.jpg 560w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/vx-underground-mgm-social-engineering-shadow.jpg 912w\" sizes=\"auto, (max-width: 777px) 100vw, 777px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A screenshot from VX-Underground discussing the MGM social engineering-based data breach.<\/em><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">3 Solutions to Overcome This Passwordless Login Security Mistake<\/h4>\n\n\n\n<p>Become a doubting Thomas and prevent social engineering attacks on new accesses and password resets by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Following identity proofing guidelines<\/strong>. Choose among the three security levels described in the National Institute of Standards and Technology (NIST) <a href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63a.html\">Digital Identity Guidelines<\/a>.<\/li>\n\n\n\n<li><strong>Verifying your user\u2019s identity via a combination of different elements<\/strong>. For instance, combine face-to-face video conferences, location detection, or document verification with behavioral analytics.<\/li>\n\n\n\n<li><strong>Correctly managing digital identities<\/strong>. Ensure the digital identities of your customers and other users are properly managed, respecting data privacy and security regulations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. Insecurely Handling Your Certificate\u2019s Private Keys<\/h3>\n\n\n\n<p>Cryptographic <a href=\"https:\/\/sectigostore.com\/blog\/what-is-a-private-key-in-cybersecurity\/\">private keys<\/a> and the <a href=\"https:\/\/sectigostore.com\/\">digital certificate<\/a> saved on the user\u2019s device are at the basis of <a href=\"https:\/\/sectigostore.com\/blog\/pki-101-all-the-pki-basics-you-need-to-know-in-180-seconds\/\">p<\/a><a href=\"https:\/\/sectigostore.com\/blog\/pki-101-all-the-pki-basics-you-need-to-know-in-180-seconds\/\">ublic key infrastructure<\/a> (PKI) certificate-based authentication.<\/p>\n\n\n\n<p>Here, we won&#8217;t go into the technical nitty-gritty of <a href=\"https:\/\/sectigostore.com\/blog\/what-is-pki-a-laymans-guide-to-public-key-infrastructure\/\">how PKI<\/a> and <a href=\"https:\/\/www.sectigo.com\/resource-library\/passwordless-authentication-guide\">certificate-based passwordless logins<\/a> work, but you can get an overview from the graphic below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"508\" src=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-authentication-pki-basic-example-1024x508.jpg\" alt=\"A basic example of PKI certificate-based authentication as a means of passwordless authentication\" class=\"wp-image-3468\" srcset=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-authentication-pki-basic-example-1024x508.jpg 1024w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-authentication-pki-basic-example-300x149.jpg 300w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-authentication-pki-basic-example-560x278.jpg 560w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-authentication-pki-basic-example-940x466.jpg 940w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-authentication-pki-basic-example.jpg 1244w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: This simplified graphic shows an overview of how PKI certificate-based passwordless authentication works. The process also involves exchanging information relating to cryptographic ciphers and keys, which are then used to establish a secure, encrypted connection.<\/em><\/figcaption><\/figure>\n\n\n\n<p>However, the complex validation process and the fact that the private key is never sent to the server makes it one of the most secure passwordless login methods (more on this in a moment). As long as the private key remains private. But what if it doesn&#8217;t?<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" src=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/how-stolen-keys-get-used-1024x486.jpg\" alt=\"\" class=\"wp-image-3469\" srcset=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/how-stolen-keys-get-used-1024x486.jpg 1024w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/how-stolen-keys-get-used-300x142.jpg 300w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/how-stolen-keys-get-used-560x266.jpg 560w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/how-stolen-keys-get-used-940x446.jpg 940w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/how-stolen-keys-get-used.jpg 1244w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A stolen private key can jeopardize your passwordless login security.<\/em><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Examples of These Passwordless Security Issues<\/h4>\n\n\n\n<p>A stolen private key and mistakes like the ones listed below could spell the end of your passwordless login security.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Storing keys in plaintext files or on unprotected servers<\/strong>. Private keys are like passwords. They shouldn&#8217;t be saved in plaintext or on unprotected servers as anyone can access text files.\u00a0\u00a0<\/li>\n\n\n\n<li><strong>Using the same key for more than one server or service<\/strong>. It can be convenient, but a private key should never act as a <em>passepartout<\/em>. Imagine if it\u2019s stolen. Jackpot. The bad guy can roam free all over your network and systems undetected.<\/li>\n\n\n\n<li><strong>Sharing your keys or giving access to them to anyone<\/strong>. <a href=\"https:\/\/sectigostore.com\/blog\/how-to-set-up-ssh-without-a-password-in-linux\/\">SSH passwordless login<\/a> lets server administrators (and anyone with the same keys, including cybercriminals) access Linux servers <a href=\"https:\/\/sectigostore.com\/blog\/what-is-passwordless-ssh-a-look-at-ssh-passwordless-authentication\/\">without a password<\/a>. In this case, \u201csharing is <em>not<\/em> caring.\u201d<\/li>\n\n\n\n<li><strong>Avoiding key rotation<\/strong>. <a href=\"https:\/\/www.microsoft.com\/cms\/api\/am\/binary\/RW10qzO\">45% of businesses<\/a> surveyed by Microsoft haven&#8217;t rotated their AWS access keys in more than six months. An inexistent or long key rotation period facilitates the attacker&#8217;s work and increases the risk of data breaches. Unfortunately, this useful approach is often overlooked and isn\u2019t done as often as it should be.\u00a0\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">4 Solutions to These Passwordless Login Security Issues<\/h4>\n\n\n\n<p>Prevention is always better than cure. Secure your passwordless logins by doing the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Store all your private keys on <\/strong><a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-hardware-security-module-hsms-explained\/\"><strong>hardware security module<\/strong><\/a><a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-hardware-security-module-hsms-explained\/\"><strong>s<\/strong><\/a><strong> (HSMs).<\/strong> This ensures the keys are securely stored while allowing authorized users to access them to perform tasks.<a href=\"https:\/\/sectigostore.com\/code-signing\"><\/a><\/li>\n\n\n\n<li><strong>Use one key for one server\/service.<\/strong> This way, if one private key is compromised, the attacker will only get access to that one server or service.<\/li>\n\n\n\n<li><strong>Minimize the chances of breaches and unauthorized access.<\/strong> You can do this by implementing access controls and limitations regarding your cryptographic keys and other secrets (i.e., the <a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-the-principle-of-least-privilege\">principle of least privilege<\/a>).<\/li>\n\n\n\n<li><strong>Frequently <\/strong><a href=\"https:\/\/csrc.nist.gov\/glossary\/term\/key_rotation\"><strong>rotating private keys<\/strong><\/a><strong>.<\/strong> This approach is <a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5\">recommended<\/a> by the National Institute of Standards and Technology (NIST).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. Opting for Less Secure Authentication Factors<\/h3>\n\n\n\n<p>Client certificates aren&#8217;t the only authentication factor for passwordless logins. There is a broad range of other methods that can be used. But <a href=\"https:\/\/sectigostore.com\/blog\/the-pros-and-cons-of-passwordless-authentication\/\">not all of them are as secure<\/a> as they seem. For instance:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Magic Links<\/h4>\n\n\n\n<p>You get an email with a unique link that includes a token. When you click on it, the server verifies and saves the token as a cookie on your browser. Abracadabra! You\u2019re now signed in using a <a href=\"https:\/\/www.okta.com\/blog\/2020\/09\/magic-links\/\">magic link<\/a>.<\/p>\n\n\n\n<p>But what if the email is intercepted through a <a href=\"https:\/\/csrc.nist.gov\/glossary\/term\/man_in_the_middle_attack\">man-in-the-middle attack<\/a>? Or if a cybercriminal sends you a <a href=\"https:\/\/sectigostore.com\/blog\/what-is-a-phishing-email-5-examples-of-phishing-emails-and-how-to-avoid-them\/\">p<\/a><a href=\"https:\/\/sectigostore.com\/blog\/what-is-a-phishing-email-5-examples-of-phishing-emails-and-how-to-avoid-them\/\">hishing email<\/a> with a phony magic link redirecting you to a malicious website? Malware infection and data breaches are just around the corner.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"358\" src=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/magic-link-example-combo-shadow-1024x358.jpg\" alt=\"Two example screenshots of emails containing magic links that alow users to engage in a form of passwordless authentication using tokens\" class=\"wp-image-3470\" srcset=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/magic-link-example-combo-shadow-1024x358.jpg 1024w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/magic-link-example-combo-shadow-300x105.jpg 300w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/magic-link-example-combo-shadow-560x196.jpg 560w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/magic-link-example-combo-shadow-940x328.jpg 940w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/magic-link-example-combo-shadow.jpg 1532w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Image caption: Two examples of magic links a colleague and I received via email.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">OTP, TOTP, SMS, and PINs<\/h4>\n\n\n\n<p>In July 2024, Zimperium warned that over <a href=\"https:\/\/siliconangle.com\/2024\/07\/31\/zimperium-warns-new-sms-stealer-malware-actively-intercepting-one-time-passwords\/\">600 global brands<\/a> were infected by SMS Stealer, a malicious software that steals <a href=\"https:\/\/www.okta.com\/blog\/2020\/06\/what-is-a-one-time-password-otp\/\">one-time passwords<\/a> (OTPs) sent via text messages. SMSes aren&#8217;t encrypted and can be intercepted or spoofed in no time. The video below says it all. Some developers got hold of a <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/time-based-one-time-password-TOTP\">time-based<\/a><a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/time-based-one-time-password-TOTP\"><\/a><a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/time-based-one-time-password-TOTP\"> OTP<\/a> (TOTP) and used it to steal a Tesla car (please, don&#8217;t do this at home).<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Cybersecurity: Can a Tesla stop phishing and social engineering attacks?\" width=\"940\" height=\"529\" src=\"https:\/\/www.youtube.com\/embed\/7IBg5uNB7is?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Push Notifications<\/h4>\n\n\n\n<p>These are those login notifications you get on your authentication app or hardware token asking you to approve or deny access to an app\/system with a click. It&#8217;s simple, user-friendly, and resistant to phishing (albeit the message can still be intercepted). Your device could be lost or stolen. Furthermore, believe it or not, <a href=\"https:\/\/www.reuters.com\/technology\/cybersecurity\/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06\/\">government<\/a><a href=\"https:\/\/www.reuters.com\/technology\/cybersecurity\/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06\/\">s<\/a> can use push notifications to spy on you.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Biometrics<\/h4>\n\n\n\n<p>OK, hopefully, no bad guy would go as far as cutting off your finger or scooping out your eyeball to access your apps. (This isn\u2019t the movies, after all.) Yet, biometrics aren&#8217;t exempted from attacks. In the second half of 2023, IProov detected <a href=\"https:\/\/go.iproov.com\/rs\/891-TPZ-847\/images\/iProov%20Threat%20Intelligence_Report.pdf?version=0\">704% more face swap injection attacks<\/a> than those recorded in the first half. We&#8217;ll dig deeper into this in the next point. For now, let&#8217;s see how we can fix this.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Ward Off These Passwordless Login Security Issues With Certificate-Based Authentication&nbsp;<\/h4>\n\n\n\n<p>A PKI certificate-based passwordless login solution is your best bet against cutting-edge attacks. The authentication happens automatically without the user&#8217;s input. Secrets are replaced by a more secure digital certificate confirming your identity as an individual, issued by a <a href=\"https:\/\/sectigostore.com\/blog\/what-is-a-certificate-authority-certification-authorities-explained\/\">trusted <\/a><a href=\"https:\/\/sectigostore.com\/blog\/what-is-a-certificate-authority-certification-authorities-explained\/\">certificate authority<\/a> (CA) and the user&#8217;s private key.<\/p>\n\n\n\n<p>This way, attackers have nothing to phish, <a href=\"https:\/\/sectigostore.com\/blog\/what-is-sms-spoofing-how-can-you-prevent-it\/\">spoof<\/a>, or fake to gain access to your company\u2019s secrets and systems. To set up certificate-based authentication:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Purchase a <\/strong><a href=\"https:\/\/sectigostore.com\/secure-email-document-signing\"><strong>personal authentication client<\/strong><\/a><a href=\"https:\/\/sectigostore.com\/secure-email-document-signing\"><strong> certificate<\/strong><\/a><strong> from a trusted source.<\/strong> SectigoStore.com provides 24\/7 free support, <a href=\"https:\/\/sectigostore.com\/blog\/what-is-encryption-and-how-does-it-work\/\">strong <\/a><a href=\"https:\/\/sectigostore.com\/blog\/what-is-encryption-and-how-does-it-work\/\">256-bit <\/a><a href=\"https:\/\/sectigostore.com\/blog\/what-is-encryption-and-how-does-it-work\/\">e<\/a><a href=\"https:\/\/sectigostore.com\/blog\/what-is-encryption-and-how-does-it-work\/\">ncryption<\/a>, and <a href=\"https:\/\/sectigostore.com\/blog\/ecdsa-vs-rsa-everything-you-need-to-know\/\">2048-bit RSA<\/a> signature key at a bargain price.<\/li>\n\n\n\n<li><strong>Set up a scalable <\/strong><a href=\"https:\/\/sectigostore.com\/enterprise\/private-pki\"><strong>Sectigo private PKI <\/strong><\/a><a href=\"https:\/\/sectigostore.com\/enterprise\/private-pki\"><strong>platform<\/strong><\/a><strong>.<\/strong> This will enable you to issue and manage virtually any type of private certificate for any device. The certificates issued are secure as your company acts as a private CA.<\/li>\n\n\n\n<li><strong>Automate management of your certificates and keys.<\/strong> <a href=\"https:\/\/sectigostore.com\/enterprise\/sectigo-certificate-manager\">Sectigo Certificate Manager<\/a> is an intuitive platform that can help you do that with ease.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4. Underestimating Cybercriminals and Technology Advancements<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.prnewswire.com\/news-releases\/cyber-attacks-are-more-sophisticated-than-ever-with-ai-powered-attacks-posing-the-greatest-risk-302098797.html\">95% of <\/a><a href=\"https:\/\/www.prnewswire.com\/news-releases\/cyber-attacks-are-more-sophisticated-than-ever-with-ai-powered-attacks-posing-the-greatest-risk-302098797.html\">IT leaders<\/a> interviewed by Keeper Security reported that cyber attacks are becoming more sophisticated. 51% confirmed their organization suffered an artificial intelligence (AI) attack in 2023.<\/p>\n\n\n\n<p>Nowadays, <a href=\"https:\/\/www.thesslstore.com\/blog\/dangers-of-generative-ai-whats-being-done-to-address-them\/\">generative AI<\/a> can be used by anyone for virtually any purpose. From translations to generating credible videos and pictures, it&#8217;s a cheap and fast solution that requires no technical skills. AI also makes generating malicious code, phishing, and <a href=\"https:\/\/www.thesslstore.com\/blog\/social-engineering-statistics\/\">social engineering attacks<\/a> practically child\u2019s play.<\/p>\n\n\n\n<p>Turning a blind eye to these threats will make your passwordless login vulnerable to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Sophisticated phishing attacks<\/strong>. A tell-tale sign of phishing messages were grammatical mistakes, poor spelling, and typos. Then ChatGPT came to light. <em>Et voila<\/em>. Cybercriminals can now use it to generate grammatically correct, believable phishing emails in seconds.<\/li>\n\n\n\n<li><strong>Voice simulation<\/strong>. Microsoft <a href=\"https:\/\/arxiv.org\/pdf\/2301.02111.pdf\">demonstrated<\/a> that its new VALL-E text-to-speech AI model can simulate anyone&#8217;s voice with only three seconds of audio. Do you think that this is bad? Real-time voice changer software is even worse. <a href=\"https:\/\/www.unite.ai\/voice-changer-tools\/\">These tools<\/a> let anyone change their voice to sound like someone else in real time and use it for <a href=\"https:\/\/sectigostore.com\/blog\/how-to-protect-your-phone-from-hackers\/\">SIM swap attack<\/a>.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"583\" src=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/gen-ai-tools-sim-swap-ex-shadow-1024x583.jpg\" alt=\"A basic diagram that illustrates how a SIM swapping attack can happen as the result of bad guys using generative AI tools\" class=\"wp-image-3471\" srcset=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/gen-ai-tools-sim-swap-ex-shadow-1024x583.jpg 1024w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/gen-ai-tools-sim-swap-ex-shadow-300x171.jpg 300w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/gen-ai-tools-sim-swap-ex-shadow-560x319.jpg 560w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/gen-ai-tools-sim-swap-ex-shadow-940x535.jpg 940w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/gen-ai-tools-sim-swap-ex-shadow.jpg 1131w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: Voice simulation AI tools can facilitate SIM swap attacks.<\/em><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AI Image and video<\/strong>. Do you like playing with <a href=\"https:\/\/pages.nist.gov\/ifpc\/2020\/presentations\/26_frvt_morph_ifpc2020_ngan.pdf\">image morphing<\/a> and AI video-making tools? I&#8217;ll tell you a not-so-secret secret: <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/b\/deepfake-video-calls.html\">the bad guys like it, too<\/a>. They often use it to inject manipulated videos into authentication systems (face swap injections). Access granted!<\/li>\n\n\n\n<li><strong>Vulnerabilities exploitation.<\/strong> A recent study shows that ChatGPT-4 can successfully autonomously exploit <a href=\"https:\/\/securityintelligence.com\/articles\/chatgpt-4-exploits-87-percent-one-day-vulnerabilities\/\">87<\/a><a href=\"https:\/\/securityintelligence.com\/articles\/chatgpt-4-exploits-87-percent-one-day-vulnerabilities\/\"><\/a><a href=\"https:\/\/securityintelligence.com\/articles\/chatgpt-4-exploits-87-percent-one-day-vulnerabilities\/\">% of one-day vulnerabilities<\/a> without too much effort. Yup. ChatGPT never stops surprising us.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">3 Ways to Bypass This Passwordless Login Security Issue<\/h4>\n\n\n\n<p>Agatha Christie once said, &#8220;To every problem, there is a most simple solution.&#8221; And she was right.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Opt for high-quality and reliable biometric devices and software.<\/strong> It&#8217;ll enable you to spot and stop even the most advanced attacks.<\/li>\n\n\n\n<li><strong>Ensure you have one or more backup authentication solutions.<\/strong> This way, if one is compromised or has a vulnerability, your users can switch to another one.<\/li>\n\n\n\n<li><strong>Leverage the power of digital trust with certificate-based passwordless logins.<\/strong> <a href=\"https:\/\/www.keyfactor.com\/2024-pki-and-digital-trust-report\/\">91% of IT professionals<\/a> polled by KeyFactor in 2023 say that strong <a href=\"https:\/\/sectigostore.com\/blog\/ssh-key-management-best-practices\/\">PKI management<\/a> is key to protecting organizations from AI threats.<\/li>\n<\/ul>\n\n\n\n<p>Last but not least, always <a href=\"https:\/\/sectigostore.com\/codeguard\/backup\">back up your data<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Not Having a Plan B in Place for \u201cMurphy\u2019s Law\u201d<\/h3>\n\n\n\n<p>As the saying goes: &#8220;Anything that can go wrong will go wrong.&#8221; So, what will you do when a device is stolen or hijacked (in case of SIM swapping) or when things simply go wrong?<br>\u00a0<br>Once the device is lost or stolen, the attacker who finds it (or steals it) can use it to bypass the passwordless login and get a free ticket to your organization\u2019s network, email, and all your employee\u2019s accounts.<\/p>\n\n\n\n<p>Let\u2019s have a look at some recent statistics.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In 2023, nearly <a href=\"https:\/\/www.dailymail.co.uk\/news\/article-13513079\/interactive-map-london-mobile-phone-theft-hotspots.html\">52,000 mobile devices<\/a> were stolen in London alone.<\/li>\n\n\n\n<li>The United Kingdom\u2019s Ministry of Defense (MOD) confirmed that nearly <a href=\"https:\/\/www.forcesnews.com\/cyber\/gone-missing-over-350-lost-or-stolen-devices-mod-last-year\">400 devices<\/a> were lost or stolen between November 2022 and November 2023.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6. Assuming There Won\u2019t Be Any Technical Issues Once Implemented<\/h3>\n\n\n\n<p>Technical issues or errors could impact the security, performance, or availability of any passwordless logins. This could negatively affect your operations and bottom line, underscoring the importance of taking steps now to prevent these issues.\u00a0For example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Biometric devices could malfunction,<\/li>\n\n\n\n<li>Network connections could fail, or<\/li>\n\n\n\n<li>A buggy software update could mess your systems up.<\/li>\n<\/ul>\n\n\n\n<p>Just look at what happened with the latest <a href=\"https:\/\/krebsonsecurity.com\/2024\/07\/global-microsoft-meltdown-tied-to-bad-crowstrike-update\/\">Microsoft\/CrowdS<\/a><a href=\"https:\/\/krebsonsecurity.com\/2024\/07\/global-microsoft-meltdown-tied-to-bad-crowstrike-update\/\"><\/a><a href=\"https:\/\/krebsonsecurity.com\/2024\/07\/global-microsoft-meltdown-tied-to-bad-crowstrike-update\/\">trike update<\/a> in July 2024. It crippled over <a href=\"https:\/\/www.reuters.com\/technology\/microsoft-says-about-85-million-its-devices-affected-by-crowdstrike-related-2024-07-20\/\">8.5 million devices<\/a> worldwide and caused major disruptions. Class actions have been filed by <a href=\"https:\/\/www.cybersecuritydive.com\/news\/crowdstrike-class-action-suit-investors\/723053\/\">investors<\/a> and <a href=\"https:\/\/www.axios.com\/2024\/08\/06\/crowdstrike-lawsuit-travel-disruption-outage\">travelers<\/a>. OK, maybe a sloppy update won&#8217;t cause the same level of damage to your passwordless login security solution, but you got the picture.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Some bad code just broke a billion Windows machines\" width=\"940\" height=\"529\" src=\"https:\/\/www.youtube.com\/embed\/4yDm6xNeYas?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Dodge This Passwordless Login Security Error by Implementing These 3 Solutions<\/h4>\n\n\n\n<p>Mitigate future risks and guarantee 100% login availability to your users by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Frequently <\/strong><a href=\"https:\/\/sectigostore.com\/blog\/what-is-white-box-testing-popular-white-box-testing-techniques\/\"><strong>test<\/strong><\/a><a href=\"https:\/\/sectigostore.com\/blog\/what-is-white-box-testing-popular-white-box-testing-techniques\/\"><strong>ing<\/strong><\/a><strong> all passwordless login methods and systems used.<\/strong> Monitoring systems will let you immediately spot and fix anomalies and potential issues.<\/li>\n\n\n\n<li><strong>Running a risk assessment and using the outcome to generate an action plan. <\/strong>The <a href=\"https:\/\/sectigostore.com\/blog\/5-smb-takeaways-from-the-nist-cybersecurity-framework-2-0\/\">NIST Cybersecurity Framework<\/a> (NIST CSF 2.0) is an excellent resource full of tips and best practices that can be applied even to small and medium businesses.<\/li>\n\n\n\n<li><strong>Having backup passwordless login methods in place.<\/strong> This is <em>The Lord of the Rings\u2019s<\/em> Ruling Ring of passwordless login security: one solution to help you minimize all issues (or, at least, most of them).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7. Neglecting Security Misconfigurations<\/h3>\n\n\n\n<p>Passwordless login solutions are like the latest Tesla car: technologically advanced, powerful, and sporting a ton of awesome features. Yes, you can have the best authentication method and technology, but if it is incorrectly configured, it&#8217;ll be useless and put you and your whole organization in danger.<\/p>\n\n\n\n<p>In fact, the 2021 OWASP top 10 ranks misconfigurations as the <a href=\"https:\/\/owasp.org\/Top10\/A05_2021-Security_Misconfiguration\/\">fifth most critical<\/a> web application security risk. The following can lead to malware infection risks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Application and software misconfigurations,<\/li>\n\n\n\n<li>Using default configuration settings, and<\/li>\n\n\n\n<li>Sticking to manufacturer authentication credentials.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">3 Ways to Prevent These Login Security Errors<\/h4>\n\n\n\n<p>Did you know that some manufacturers publish how-to guides explaining how to find their products\u2019 default usernames and passwords? So:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Change all applications and systems&#8217; default usernames and passwords.<\/strong> Never, ever run with the defaults \u2014 doing so is setting yourself up for a headache.<\/li>\n\n\n\n<li><strong>Personalize your passwordless login settings.<\/strong> <a href=\"https:\/\/owasp.org\/www-project-developer-guide\/draft\/design\/web_app_checklist\/handle_errors_and_exceptions\/\">Error messages<\/a> should be concise to avoid information leaking useful information or informing attacks of flaws that can be exploited.<\/li>\n\n\n\n<li><strong>Disable all unused\/unnecessary features, components, and frameworks.<\/strong> It&#8217;ll restrict the attack surface.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8. Ignoring Updates and Vulnerabilities<\/h3>\n\n\n\n<p>In Q1 2024, <a href=\"https:\/\/www.cve.org\/About\/Metrics\">8,697 new <\/a><a href=\"https:\/\/www.cve.org\/About\/Metrics\">common vulnerability exposures<\/a> (CVEs) were discovered. Over 1,600 more than in Q1 2023. We get it. Testing and installing patches can be boring and time-consuming tasks that aren\u2019t generating profit for your company. But it\u2019s a necessary function that ensures the security and reliability of your software products and services.<\/p>\n\n\n\n<p>Unpatched software and unaddressed vulnerabilities can have disastrous consequences, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data breaches,<\/li>\n\n\n\n<li>Reputation damage, and<\/li>\n\n\n\n<li><a href=\"https:\/\/sectigostore.com\/blog\/data-privacy-laws-ccpa-hipaa-gdpr-glba-lgpd\/\">C<\/a><a href=\"https:\/\/sectigostore.com\/blog\/data-privacy-laws-ccpa-hipaa-gdpr-glba-lgpd\/\">ompliance fine<\/a>s and penalties.<\/li>\n<\/ul>\n\n\n\n<p>And it doesn&#8217;t matter if those flaws are old and well known. A 2023 study revealed that <a href=\"https:\/\/www.businesswire.com\/news\/home\/20230216005161\/en\/76-of-Vulnerabilities-Currently-Exploited-by-Ransomware-Groups-Were-Discovered-Before-2020-Report-Finds\">76% of vulnerabilities<\/a> used today as entry points by attackers were discovered between 2010 and 2019.&nbsp;&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">3 Tactics to Prevent This Passwordless Login Security Issue From Happening Again<\/h4>\n\n\n\n<p>To prevent this passwordless security mistake:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Promptly install all software updates.<\/strong> Patches and updates are only as good as the speed at which you apply them. As we saw with the WannaCry situation years ago, leaving your systems\u2019 vulnerabilities unpatched puts your devices and data at risk of compromise.<\/li>\n\n\n\n<li><strong>Regularly test your systems<\/strong>. Proactively identify and fix vulnerabilities through continuous testing and a robust <a href=\"https:\/\/www.ibm.com\/topics\/patch-management\">patch management strategy<\/a>.<\/li>\n\n\n\n<li><strong>Proactively look for security issues<\/strong>. <a href=\"https:\/\/sectigostore.com\/blog\/how-to-perform-a-website-security-check\/\">Check your systems for <\/a><a href=\"https:\/\/sectigostore.com\/blog\/how-to-perform-a-website-security-check\/\">flaws<\/a> using automated security check tools like <a href=\"https:\/\/sectigostore.com\/sitelock.aspx\">SiteLock<\/a> and <a href=\"https:\/\/sectigostore.com\/website-security\/hackerguardian-pci-compliance-scanner\">HackerGuardian<\/a>.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"488\" height=\"650\" src=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/vulnerability-scan-example-shadow.png\" alt=\"A screenshot of a SiteLock vulnerability scan\" class=\"wp-image-3472\" srcset=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/vulnerability-scan-example-shadow.png 488w, https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/vulnerability-scan-example-shadow-225x300.png 225w\" sizes=\"auto, (max-width: 488px) 100vw, 488px\" \/><figcaption class=\"wp-element-caption\"><em>Image source: <a href=\"https:\/\/sectigostore.com\/sitelock.aspx\">Sectigostore.com<\/a>. The screenshot shows an example of SiteLock automated vulnerability scan.<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts About 8 Passwordless Login Security Mistakes to Avoid<\/h2>\n\n\n\n<p>An error-free implementation of passwordless login solutions will enable your organization to mitigate the risks of using a conventional ID and password. They&#8217;ll also improve your applications&#8217; user experience and help you save money in the long term by eliminating time-consuming and costly operations such as password resets.<\/p>\n\n\n\n<p>We hope this article will help you avoid the most common passwordless login security mistakes so that you can fully enjoy the benefits of this technology. Implement it on your websites, applications, software, and devices.<\/p>\n\n\n\n<div class=\"wp-block-advanced-gutenberg-blocks-notice is-variation-advice has-icon\" data-type=\"advice\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><path d=\"M14 9V5a3 3 0 0 0-3-3l-4 9v11h11.28a2 2 0 0 0 2-1.7l1.38-9a2 2 0 0 0-2-2.3zM7 22H4a2 2 0 0 1-2-2v-7a2 2 0 0 1 2-2h3\"><\/path><\/svg><p class=\"wp-block-advanced-gutenberg-blocks-notice__title\">Pro Tip<\/p><p class=\"wp-block-advanced-gutenberg-blocks-notice__content\">Get the ultimate protection and achieve a seamless user experience by implementing certificate-based passwordless logins.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Identity Defined Security Alliance (IDSA) reports that nearly 85% of identity stakeholders were directly impacted by identity-related security incidents in 2023. Protect your data and systems by learning eight passwordless&#8230;<\/p>\n","protected":false},"author":23,"featured_media":3466,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[13],"tags":[136,300],"class_list":["post-3463","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security","tag-passwordless-authentication","tag-passwordless-logins","post-with-tags"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>8 Passwordless Login Security Mistakes and How to Avoid Them - InfoSec Insights<\/title>\n<meta name=\"description\" content=\"Implement passwordless security like a pro by exploring eight of the most common passwordless login security mistakes and how to fix them.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"8 Passwordless Login Security Mistakes and How to Avoid Them - InfoSec Insights\" \/>\n<meta property=\"og:description\" content=\"Implement passwordless security like a pro by exploring eight of the most common passwordless login security mistakes and how to fix them.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/\" \/>\n<meta property=\"og:site_name\" content=\"InfoSec Insights\" \/>\n<meta property=\"article:published_time\" content=\"2024-08-20T11:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-login-security-mistakes-feature.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"1000\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Nadia Bonini\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nadia Bonini\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/\"},\"author\":{\"name\":\"Nadia Bonini\",\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/#\\\/schema\\\/person\\\/f4ce6500b99e7563f71f0d1d6394f135\"},\"headline\":\"8 Passwordless Login Security Mistakes and How to Avoid Them\",\"datePublished\":\"2024-08-20T11:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/\"},\"wordCount\":3071,\"image\":{\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/passwordless-login-security-mistakes-feature.jpg\",\"keywords\":[\"passwordless authentication\",\"passwordless logins\"],\"articleSection\":[\"Cyber Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/\",\"url\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/\",\"name\":\"8 Passwordless Login Security Mistakes and How to Avoid Them - InfoSec Insights\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/passwordless-login-security-mistakes-feature.jpg\",\"datePublished\":\"2024-08-20T11:00:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/#\\\/schema\\\/person\\\/f4ce6500b99e7563f71f0d1d6394f135\"},\"description\":\"Implement passwordless security like a pro by exploring eight of the most common passwordless login security mistakes and how to fix them.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/#primaryimage\",\"url\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/passwordless-login-security-mistakes-feature.jpg\",\"contentUrl\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/passwordless-login-security-mistakes-feature.jpg\",\"width\":1600,\"height\":1000,\"caption\":\"Feature image for the article on passwordless login security mistakes and how to address them\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/passwordless-login-security-mistakes-and-how-to-avoid-them\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"8 Passwordless Login Security Mistakes and How to Avoid Them\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/\",\"name\":\"InfoSec Insights\",\"description\":\"SectigoStore.com Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/sectigostore.com\\\/blog\\\/#\\\/schema\\\/person\\\/f4ce6500b99e7563f71f0d1d6394f135\",\"name\":\"Nadia Bonini\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/871770d58b7b0abd48f90fb2f9643895c766b7ab6c1d4fa58e3651941cdc9e63?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/871770d58b7b0abd48f90fb2f9643895c766b7ab6c1d4fa58e3651941cdc9e63?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/871770d58b7b0abd48f90fb2f9643895c766b7ab6c1d4fa58e3651941cdc9e63?s=96&d=mm&r=g\",\"caption\":\"Nadia Bonini\"},\"description\":\"Nadia is a technical writer with more than 15 years of experience in IT, software development projects, email and cybersecurity. She has worked for leaders in the IT industry and Fortune 500 companies. A Certified CSPO mail application security product owner and a former application security engineer, she also works as a professional translator. She is a big fan of Ubuntu, traveling and Japan.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"8 Passwordless Login Security Mistakes and How to Avoid Them - InfoSec Insights","description":"Implement passwordless security like a pro by exploring eight of the most common passwordless login security mistakes and how to fix them.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/","og_locale":"en_US","og_type":"article","og_title":"8 Passwordless Login Security Mistakes and How to Avoid Them - InfoSec Insights","og_description":"Implement passwordless security like a pro by exploring eight of the most common passwordless login security mistakes and how to fix them.","og_url":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/","og_site_name":"InfoSec Insights","article_published_time":"2024-08-20T11:00:00+00:00","og_image":[{"width":1600,"height":1000,"url":"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-login-security-mistakes-feature.jpg","type":"image\/jpeg"}],"author":"Nadia Bonini","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Nadia Bonini","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/#article","isPartOf":{"@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/"},"author":{"name":"Nadia Bonini","@id":"https:\/\/sectigostore.com\/blog\/#\/schema\/person\/f4ce6500b99e7563f71f0d1d6394f135"},"headline":"8 Passwordless Login Security Mistakes and How to Avoid Them","datePublished":"2024-08-20T11:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/"},"wordCount":3071,"image":{"@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/#primaryimage"},"thumbnailUrl":"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-login-security-mistakes-feature.jpg","keywords":["passwordless authentication","passwordless logins"],"articleSection":["Cyber Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/","url":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/","name":"8 Passwordless Login Security Mistakes and How to Avoid Them - InfoSec Insights","isPartOf":{"@id":"https:\/\/sectigostore.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/#primaryimage"},"image":{"@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/#primaryimage"},"thumbnailUrl":"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-login-security-mistakes-feature.jpg","datePublished":"2024-08-20T11:00:00+00:00","author":{"@id":"https:\/\/sectigostore.com\/blog\/#\/schema\/person\/f4ce6500b99e7563f71f0d1d6394f135"},"description":"Implement passwordless security like a pro by exploring eight of the most common passwordless login security mistakes and how to fix them.","breadcrumb":{"@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/#primaryimage","url":"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-login-security-mistakes-feature.jpg","contentUrl":"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2024\/08\/passwordless-login-security-mistakes-feature.jpg","width":1600,"height":1000,"caption":"Feature image for the article on passwordless login security mistakes and how to address them"},{"@type":"BreadcrumbList","@id":"https:\/\/sectigostore.com\/blog\/passwordless-login-security-mistakes-and-how-to-avoid-them\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sectigostore.com\/blog\/"},{"@type":"ListItem","position":2,"name":"8 Passwordless Login Security Mistakes and How to Avoid Them"}]},{"@type":"WebSite","@id":"https:\/\/sectigostore.com\/blog\/#website","url":"https:\/\/sectigostore.com\/blog\/","name":"InfoSec Insights","description":"SectigoStore.com Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sectigostore.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/sectigostore.com\/blog\/#\/schema\/person\/f4ce6500b99e7563f71f0d1d6394f135","name":"Nadia Bonini","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/871770d58b7b0abd48f90fb2f9643895c766b7ab6c1d4fa58e3651941cdc9e63?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/871770d58b7b0abd48f90fb2f9643895c766b7ab6c1d4fa58e3651941cdc9e63?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/871770d58b7b0abd48f90fb2f9643895c766b7ab6c1d4fa58e3651941cdc9e63?s=96&d=mm&r=g","caption":"Nadia Bonini"},"description":"Nadia is a technical writer with more than 15 years of experience in IT, software development projects, email and cybersecurity. She has worked for leaders in the IT industry and Fortune 500 companies. A Certified CSPO mail application security product owner and a former application security engineer, she also works as a professional translator. She is a big fan of Ubuntu, traveling and Japan."}]}},"_links":{"self":[{"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/posts\/3463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/comments?post=3463"}],"version-history":[{"count":0,"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/posts\/3463\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/media\/3466"}],"wp:attachment":[{"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/media?parent=3463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/categories?post=3463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sectigostore.com\/blog\/wp-json\/wp\/v2\/tags?post=3463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}