passwordless

It’s Passwords, All the Way Down

We seem enamored with the idea of a ‘passwordless’ society. Not just because it would be an indicator of secure networks, but because trying to keep track of tens of unique, complex passwords is not ideal. There has been plenty of industry and media buzz around the concept of passwordless authentication strategies.

Particular attention is paid to strategies like biometrics—which includes fingerprint or retina scanning—as well as pin codes and one-time passwords (OTPs), and also physical tokens. On the surface, these authentication methods seem to provide a security strategy that doesn’t require a user to remember strings of characters for their passwords. However, this is deceiving. A passwordless system is really a mirage. As pointed out here, “when you dig deeper, these passwordless solutions are still reliant on passwords.”

One Layer Down: Things Look the Same

Many smartphone users have come to rely on Touch ID or similar systems for individual apps as their way of rapidly accessing their phone, accounts, or method of payment. Unfortunately, there are many circumstances in which fingerprint ID fails. This includes common situations like finger positioning, debris or liquid on a fingertip, or an issue with the button.

As most users will know from experience, when you can’t use your fingerprint easily, you’re prompted instead to enter your password. Sounds simple, but the reality of the situation is dangerous. Even if you have a fingerprint ID for every system, the security is only as strong as your ‘backup’ password.

Second Layer Down: Still the Same

A second aspect of the mirage is that passwords are used by IT administration even when the hardware or other ‘passwordless’ solutions are used on the ‘front end’. At some point in the security chain – for example, if an employee loses or damaged their access token – the security administrator who is responsible for returning access to employees will probably log on to their computer with a password.

When the data is analyzed on the back end of the system, security and IT personnel log in with credentials of their own. This means that even if employees are using hardware to access space or accounts, the system’s actual security is still reliant upon password strength.

But What’s the Issue, Anyway?

Due to the sheer frequency of data breaches, people tend to think passwords are liable for most wide-scale security issues. But the truth isn’t necessarily passwords failingus. It’s a fact that individuals re-use passwords all the time. Once a user’s credentials have been stolen from one account, they are often leaked on the dark web and sold to other hackers.

But password use—in contrast to hardware and biometrics—still appeal to many enterprises in all industries. Not only are passwords the most entrenched and familiar authentication method, but they are an affordable and scalable option for organizations. Credentials can be used cross-device, operating system, and application update status with no compatibility issues. This has proven to be invaluable during the pandemic when many businesses were forced online, and their employees forced to work from home.

If a business wanted to dash towards the oasis of passwordless functionality, by investing in new hardware (security tokens of some kind), biometric security (retina scanning at the front door of the office), or other systems, they would have to revamp their security budgets, as well as their security policies. Then, they would find that the lovely oasis was just another dune.

Better the Devil You Know

The passwordless future is still far off. It’s expensive, complex, and currently a mirage. However, hardening the existing password layer is logical, cost-effective, and straightforward. There are several strategies enterprises can take. The most important and time-sensitive choice is to employ the policy of checking passwords against a blacklist of compromised credentials. This solution requires a real-time continuous check of passwords to detect if and when credentials become unsafe.

Keep it Real

Despite the techy dreams of a passwordless world, for the moment it’s important to keep our collective feet on the ground. Passwords aren’t going anywhere anytime soon. Knowing this, governments, health care organizations, and businesses must take action and protect their password layers. Finding a company committed to protecting accounts through compromised password detection might even be easier than you think.