By Joshua Parsons, Product Marketing Manager, Enzoic
With data breaches commonplace and passwords often found to be the root cause, security teams are seeking password alternatives to help enhance their cyber defenses. This has resulted in a growing number of options including single sign-on (SSO), multifactor authentication (MFA), and passwordless authentication.
These new authentication options are thought to be the answer to the myriad of issues with passwords. A user no longer needs to remember a complicated password; instead, authentication happens using something they own, know, or are. Examples of this include a hardware token, a smartphone, a one-time password (OTP), or a biometric marker like a fingerprint.
Apple, Google and Microsoft are among those pushing for a passwordless future, and the aforementioned alternatives are gathering momentum. The notion of removing much of the current friction with authentication is certainly appealing; however, it’s a little premature to think that passwords will suddenly be unnecessary. Once you look under the hood of many passwordless solutions, you will frequently find a password still underlies authentication.
So, let’s explore where passwords are still in play.
Passwords as a Fail Safe
If you use Apple devices, then you’ve probably run into issues with Touch ID. For example, if there is debris on the sensor or a system-related issue, then Touch ID will no longer work. When that happens, you have to enter your password. Therefore, even if you use Touch ID, the security of every app is still dependent on a password. With biometrics increasingly prevalent in the digital ecosystem, these challenges are not limited to Apple products. As a result, having a password as a backup for biometric authentication will remain.
Authenticating on the Back End
Another reason why passwords are lingering is that credentials are still needed to authenticate the system at some point in the security chain. For instance, if you use a biometric method to enter a physical office and it fails to read the marker, the system defaults to a unique access code. However, when the IT administrator logs in to analyze the data and they are using a password without an associated solution to ensure the integrity of their credentials, then the system’s overall security is still reliant on a potentially compromised password.
Passwordless Smoke and Mirrors
These examples demonstrate that passwordless authentication–while desirable–is not yet a reality. However, this is not the method’s only flaw. Biometrics and other invisible security strategies have some additional challenges, including:
- Cost Constraints
Harnessing many of these new authentication technologies often requires updating laptops and other device hardware. Therefore, it will take a significant investment of time and money before organizations can ensure that all employees have equipment with biometric scanners built in.
- Integration Hurdles
Implementing a passwordless system may require overcoming incompatibility with legacy technologies. For organizations with numerous users, multiple apps, hybrid infrastructures, and complex logins, converting these systems would take significant resources. This seems daunting when compared to the status quo, considering the existing interoperability of complex systems and the ease of using passwords.
- Lack of Flexibility
A password can be easily changed, altered, and updated, but this is not the case with passwordless solutions. For example, if there is a breach and users’ data is exposed in systems that rely on voice signatures or a retinal scan, you can not create or reset a biometric marker. Furthermore, as deep-fake technology becomes more prevalent, it will be even easier for bad actors to capture and reuse people’s biometric identifiers.
As passwordless solutions become more commonplace, hackers will look for any opportunity to exploit vulnerabilities. Combating this threat will place an additional burden on overworked security teams.
The Password Problem
The problems with passwords are well documented, from weak credentials to pervasive reuse. Given that passwords are here to stay, organizations should shift their attention away from the passwordless mirage and instead focus on modernizing their password protection strategy.
Screening passwords against a live database of compromised credentials at every login is essential in a world where data breaches are a perpetual threat. Regardless of whether a password is used as a backup or as a means of primary authentication, it’s critical that companies are continuously monitoring for the use of exposed credentials. Enzoic’s dynamic compromised credential screening solution allows companies to automate the entire process, rapidly and efficiently improving security. Because the database is automatically updated multiple times per day, companies have peace of mind that their password security is automatically evolving to address the latest breach intelligence without requiring manual work from the IT department.
Screening credentials at their creation, as well as continuously monitoring their integrity thereafter, is an important component of a modern approach to password security. Should a previously safe password become compromised, organizations can automate the appropriate action—for example, forcing a password reset at the next login or shutting down access entirely until IT investigates the problem.
Passwordless solutions will continue to emerge, and organizations should explore the different options. However, they must recognize that passwords will remain a vital part of the authentication mix for the foreseeable future and should be secured accordingly.
Find out more about Enzoic’s dynamic password threat intelligence and how it can help strengthen password hygiene here.
About the Author
Joshua J. Parsons is the Product Marketing Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. He has had a lifelong interest in digital innovation and how it can be used to protect individuals and organizations from ever-changing cyber threats. A strong believer in giving back to the community, Joshua serves as a mentor to those interested in information security and marketing through his alma mater, the University of Michigan. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.
Joshua can be reached online on Linkedin (linkedin.com/in/jjparson) and at our company website http://www.Enzoic.com/