We seem enamored with the idea of a ‘passwordless authentication’ society. Not just because it would be an indicator of secure networks, but because trying to keep track of tens of unique, complex passwords is not ideal. There has been plenty of industry and media buzz around the concept of passwordless authentication strategies.
Particular attention is paid to strategies like biometrics security—which includes fingerprint or retina scanning—as well as pin codes and one-time passwords (OTPs), and also physical tokens. On the surface, these authentication methods seem to provide a password security strategy that doesn’t require a user to remember strings of characters for their passwords. However, this is deceiving. A passwordless authentication system is really a mirage. As pointed out here, “When you dig deeper, these passwordless solutions are still reliant on passwords.”
Many smartphone users have come to rely on Touch ID or similar biometric security systems for individual apps as their way of rapidly accessing their phone, accounts, or method of payment. Unfortunately, there are many circumstances in which fingerprint ID fails. This includes common situations like finger positioning, debris or liquid on a fingertip, or an issue with the button, necessitating a fallback to traditional password security measures.
As most users will know from experience, when biometric authentication fails, you’re prompted instead to enter your password, highlighting the continued reliance on traditional password security. It sounds simple, but the reality of the situation is dangerous. Even if you have a fingerprint ID for every system, the security is only as strong as your ‘backup’ password.
A second aspect of the mirage is that passwords are used by IT administration even when the hardware or other ‘passwordless authentication’ solutions are used on the ‘front end”. At some point in the security chain – for example, if an employee loses or damages their access token – the security administrator who is responsible for returning access to employees will probably log on to their computer with a password.
When the data is analyzed on the back end of the system, security and IT personnel log in with credentials of their own. This means that even if employees are using hardware to access space or accounts, the system’s actual security is still reliant upon traditional password security measures and password strength.
Due to the sheer frequency of data breaches, people tend to think passwords are liable for most wide-scale security issues. But the truth isn’t necessarily passwords failing us. It’s a fact that individuals reuse passwords all the time. Once a user’s credentials have been stolen from one account, they are often leaked on the dark web and sold to other hackers. These compromised credentials then become a major security risk, enabling attackers to breach other accounts.
However, password use —in contrast to hardware and biometrics security— still appeals to many enterprises in all industries. Not only are passwords the most entrenched and familiar authentication method, but they are an affordable and scalable option for organizations. Credentials can be used cross-device, operating system, and application update status with no compatibility issues. This has proven to be invaluable during the pandemic when many businesses were forced online, and their employees forced to work from home.
If a business wanted to dash towards the oasis of passwordless authentication by investing in new hardware (security tokens of some kind), biometric security (retina scanning at the front door of the office), or other systems, they would have to revamp their security budgets, as well as their security policies. Then, they would find that the lovely oasis was just another dune.
The future of passwordless authentication is still far off. It’s expensive, complex, and currently a mirage. However, strengthening the existing password security layer is logical, cost-effective, and straightforward. There are several strategies enterprises can take. The most important and time-sensitive choice is to employ the policy of checking passwords against a blacklist of compromised credentials. This solution requires a real-time continuous check of passwords to detect if and when credentials become unsafe.
Despite the techy dreams of a passwordless world, for the moment, it’s important to keep our collective feet on the ground. Passwords aren’t going anywhere anytime soon. Knowing this, governments, healthcare organizations, and businesses must take action and protect their password security layers. Finding a company committed to protecting accounts through compromised password detection might even be easier than you think.