There’s a lot of hype… and still just as many passwords.
The hype around passwordless authentication continues. Society loves the high-tech opportunities that a ‘passwordless’ future hints at.
But thereality is that passwords aren’t going anywhere, and there are several reasons why.
When it comes to authentication, we’re talking about a way of verifying your identity so that you can access your account. Authentication factors fall into three categories: something you know (like a PIN or password), something you have (like a fob or token), or something you are (like your fingerprint or your face).
The ‘passwordless’ solutions offers are described as cure-alls, but they are just different options, with their own flaws. One-time passwords (OTPs), SMS or app-generated codes, and biometrics are already being used—and one thing’s for sure: they are not safer than passwords.
And, unfortunately, current passwordless authentication is… A myth. Here’s why:
The most common biometric authentication methods are facial recognition and fingerprint scanning. However, not only can things like voice and fingerprints be faked, but you can easily do something like burn your finger or lose your voice—and then have a difficult time accessing your device or account. So, what happens when something goes wrong, and biometrics won’t work?
You’re asked for your password.
The same goes for devices using OTPs or app-based authentication. If you lose your mobile device, or someone steals it, you’re in hot water. An attacker who gets their hands on your phone can use it to intercept all OTPs and links that are sent, and use them to confirm that they are the rightful owner of the accounts already associated with the phone. In order to gain access to your accounts without access to your device, you would have to access those accounts with your password, and then update your phone number (if it’s not already too late).
…Including IT Professionals
The other deceiving idea about ‘passwordless’ authentication has to do with the back end of systems. Passwords are used by IT administration even when the hardware or other ‘passwordless’ solutions are used on the ‘front end’. At some point in the security chain – for example, if an employee loses an access token – the administrator will access their computer with a password.
Even though we might perceive a system as passwordless because some people use a different authentication factor, the system’s actual security is still reliant upon passwords and password strength.
Due to the frequency of data breaches and ransomware attacks populating the headlines, people tend to think passwords are liable for most cybersecurity issues. But the truth is that passwords aren’t failing us—our habits are. The majority of people create weak passwords or reuse passwords across their devices and accounts. Once one data breach has occurred, it’s easy for cyber criminals to leak credentials online or on the dark web, and a chain reaction of negative consequences can unfold.
It could make the user experience less complicated (it’s hard to remember 80 unique passwords, and annoying to constantly be requesting changes). No passwords would also mean we wouldn’t have to worry so much about password theft. It would essentially take the venom out of many of the typical types of password-based attacks, like brute force and password spraying attacks.
But there are other cost effective and realistic ways of preventing cyber attacks. A passwordless society isn’t a reality, and it won’t be for a long time yet. Governments, health care organizations, and businesses must strengthen the password layer.
Make detecting and eliminating compromised passwords in Active Directory easy with a simple plug-in. Start protecting for free.
Try Now