What’s holding APAC back from passwordless access? – Part 1

Image created by DALL·E 3.

The true cost of a data breach can no longer be ignored by enterprises. Public companies suffered an average net income drop of 73% nearly one year after reporting a cyberattack, according to an ExtraHop study. In addition, affected businesses spent over US$1 billion each in regulatory fines, legal fees, and multiple settlements. 

Given the current digital economy, where there is an app for almost every product or service, hackers have targeted consumers who still rely on passwords to log onto their accounts. According to the FIDO Alliance’s 2023 Online Authentication Barometer, password usage without two-factor authentication is still dominant across use cases globally, with consumers entering passwords manually about four times a day, or 1,280 times a year.

If given a chance, many consumers want stronger authentication methods, with biometrics often believed to be the most secure, and therefore the most favoured choice among surveyed respondents.

Worldwide, there have been successful use cases of various passwordless authentication methods to significantly reduce the reliance on passwords. In Asia-Pacific, businesses and governments are jointly finding ways to boost industry-wide passwordless adoption. However, many challenges remain, both at a macro level, and on the ground. 

Meanwhile, the clock is ticking as cybercriminals are increasingly leveraging artificial intelligence to level up their phishing and ransomware attacks.

This first of a two-part report covers Vietnam, Singapore, and South Korea.

Vietnam makes a stand

During the FIDO APAC Summit 2023 held in Nha Trang, Khánh Hòa Province, Vietnam last August, the country’s Ministry of Information and Communications (MIC) announced its participation as the 10th government-level member of open-industry association FIDO Alliance.

Vietnam is seeing a number of persistent cyberthreats, top among them are phishing attacks, noted Hieu Minh Ngo, Threat Hunter at the National Cyber Security Center (NCSC) of Vietnam, and founder of cybersecurity non-profit Chongluadao.vn.

Hieu Minh Ngo, Threat Hunter, National Cyber Security Center (NCSC) of Vietnam; Founder, Chongluadao.vn. Image courtesy of the FIDO Alliance.

“Social engineering methods like manipulation and mimicry are frequently employed to trick people. Even threat actors are taking advantage of AI, such as deepfake for malicious activities. In recent years, ransomware and malware attacks have increased in Vietnam. Cybercriminals use these dangerous programs to breach systems and extort money from people or businesses. It’s also crucial to mention that Vietnamese users still often download pirated software or movies, leading to many cyberthreats,” he observed.

According to the cybersecurity expert, who is a former blackhat hacker, passwordless authentication has been effective in thwarting phishing attacks.

The reason for this, Hieu explained, is that passwordless authentication techniques, such as FIDO2 and WebAuthn, rely on cryptographic protocols. These approaches rely on public-key cryptography, wherein the user’s device stores a private key and the server stores the matching public key.

Since the private key is securely held on the user’s device, it cannot be retrieved or stolen through phishing.

“Phishing attacks usually focus on deceiving consumers into entering their credentials on malicious websites or forms that appear legitimate. Without passwords in the authentication process, phishing attempts to obtain passwords prove futile. Passwordless authentication often includes extra user verification elements such as biometrics (e.g., fingerprint or face recognition) or hardware tokens. These features add an additional layer of protection and make it more difficult for attackers to mimic users using phishing methods,” he elaborated.

Hieu also identified four other cybersecurity challenges in the country:

  • Advanced persistent threats (APTs): These state-sponsored cyberattacks target Vietnamese government institutions, defence contractors, and businesses to steal private data or interfere with vital infrastructure.
  • Inside threats: Instances where workers or trusted persons abuse their access to harm an organisation. This can involve disclosing private information or stealing intellectual property.
  • Vulnerabilities in IoT devices: Cybercriminals exploit inadequate security measures and weaknesses in these devices. Common issues include failing to upgrade IoT device firmware, not changing default passwords, or using outdated or obscure IoT brands.
  • Shortage of skilled cybersecurity talent: This gap hinders effective defence against sophisticated cyberattacks.

Simon Trac Do, CEO of cybersecurity firm VinCSS, remarked that while there is growing appreciation for passwordless use in Vietnam, much has yet to be done in educating people and businesses about its necessity.

Simon Trac Do, Chief Executive Officer, VinCSS. Image courtesy of the FIDO Alliance.

“There are concerns about the security of passwordless authentication solutions, which can discourage some businesses from adopting them. Some businesses still prefer the traditional password-based authentication method because they believe it is more secure,” he said.

The Chief Executive also noted the lack of regulatory framework in Vietnam to support the adoption of passwordless authentication, which hopefully will be remedied by the country’s decision to join the FIDO Alliance.

“By joining the alliance, Vietnam has demonstrated its commitment to improving cybersecurity measures, safeguarding its citizens from cybercrime, as well as supporting innovative enterprises in this field. With Vietnam’s participation in the FIDO Alliance, there is an expectation that more organisations in the country will adopt FIDO’s standards, making it more difficult for cybercriminals to operate,” Trac Do said.

Singapore wants digital identity secure

Meanwhile in Singapore, the vision is a digital-first country, wherein digital government, digital economy, and digital society harness technology to effect transformation in health, transport, urban living, government services, and businesses.

Key to achieving this is the success of Singapore’s national digital identity program, shares Eric Chang, Principal Solution Architect, National Digital Identity, Government Technology Agency (GovTech) Singapore.

As early as 2018, the Singaporean government was already trying to move away from passwords, with the launch of the SingPass beta. The mobile app leveraged a new authentication form factor based on QR codes.

Then in 2020, Singapore launched its National Digital ID program, redefining the concept of digital identity beyond being just a government identity and access management platform.

Eric Chang, Principal Solution Architect, National Digital Identity, Government Technology Agency (GovTech) Singapore. Image courtesy of the FIDO Alliance.

“Our aim is to provide SingPass accounts to all Singaporeans and permanent residents aged 15 years and above. The accounts, coupled with SingPass authentication platform, can be used to identify users with high assurance levels in the digital world, allowing safe and secure end-to-end transactions between companies, government bodies, and even between countries,” Chang said.

In the same year, facial verification was introduced as an authentication method for SingPass, due to rising online scams targeting users of the government portal. To make SingPass more secure, the government is now studying the incorporation of phishing-resistant form factors, such as FIDO passkeys. 

“With automated domain verification and proximity checks between the authenticator and clients, coupled with good frontend analytics, we believe that FIDO can be the tipping point in our fight against scams,” The GovTech rep shared.

To drive passkey adoption in the country, GovTech proposes the following measures:

  • Starting from the government, generate support for passkeys with second-factor authentication, and educate users on creating and managing passkeys.
  • Pilot with private sectors that are using Singpass services and extend protection to their customers.
  • Influence more private companies to adopt passkeys as a safer authentication.
  • Regulatory bodies should create policies, mandating a high level of assurance authentication factor for high value/impact transactions.

South Korea pushing for passkeys

While a total elimination of passwords is improbable due to the need for backward compatibility and varying user adaptability, reducing dependency on them is feasible. This is especially true in the case of South Korea, where hacking remains the paramount cyberthreat.

“Hacking affects individuals, businesses, and government entities. Hackers often favour the path of least resistance, typically targeting user credentials over trying to penetrate sophisticated security systems,” noted Jaebeom Kim, Principal Researcher for South Korea’s Telecommunications Technology Association (TTA). 

While there is a lack of data on passwordless adoption in the country, the closest figures available would be about social logins, the cybersecurity expert said.

Jaebeom Kim, Principal Researcher, Telecommunications Technology Association (TTA). Image courtesy of the FIDO Alliance.

“Based on a 2019 consumer survey by The Voice for Consumers, which included 700 smartphone users, Naver leads with a 51.2% usage rate, followed by Kakao at 39.8%. Facebook and Google trail behind at 7.9% and 1.2%, respectively. These figures likely remain consistent today. Social logins, particularly via mobile apps, offer a seamless app-to-app login experience, contributing to their popularity,” Kim continued.

Beyond social logins, South Koreans use electronic signatures rooted in PKI for critical transactions, particularly for the finance and government sectors, while FIDO protocol-based methods are also gaining traction.

Then, there’s the widespread use of password managers, which, although not inherently passwordless, offer a user experience akin to passwordless systems. According to Kim, this should be acknowledged as part of the passwordless ecosystem.

In April 2023, SK Telecom adopted FIDO-based passkeys for its PASS app, replacing its previous password-based authentication method. As per Kim, Samsung is soon to follow suit with passkey adoption. 

“The critical element moving forward is biometric security, as passkeys combined with biometrics offer a stronger security posture. However, potential vulnerabilities, like spoofed biometrics, highlight the ongoing need for robust security measures,” Kim said.

For its part, the TTA is actively promoting secure passwordless solutions, with a focus on developing passkey testing and evaluation methodologies. 

“By emphasising the creation of secure service provider operations and end-user environments, TTA is spearheading efforts to fortify biometric authentication. Its initiatives are pivotal in counteracting the growing security threats in the digital landscape, leveraging its expertise in biometric security to support the broader adoption of passwordless technologies in South Korea,” Kim concluded.

The second of this two-part report can be read here.