Sikov - stock.adobe.com
Don't believe the passwordless hype
Truly passwordless systems don't exist yet because most systems default to passwords when other authentication methods fail, such as biometric readers.
As the number of connected IoT devices and systems continues to grow exponentially, the number of endpoints and threat surfaces that enterprises need to protect is expanding. This challenge, coupled with escalating cybersecurity concerns, forces organizations to look for new ways to shore up their defenses and spurs interest in passwordless authentication solutions.
However, it's a little premature to think that the days of relying on passwords for authentication are in the rearview mirror. Emerging passwordless tools have less friction, but passwords still play a role in some shape or form in the authentication process.
Passwords are a fail-safe
With many of these alternative authentication solutions, a password is often the backup if a system denies access to a valid user. For example, if a biometric reader fails, the system defaults to asking for a password. This means that the security of these accounts is really only as good as the password. Given the rampant password reuse problem, there's a good chance that the credentials many people use have already been exposed. And if a password has been compromised, then cybercriminals can undoubtedly obtain it via the dark web.
Because these emerging authentication solutions are relatively new, a fallback method of authentication will be required for the foreseeable future. The secondary form of login is generally reliant on a password, ensuring that the promise of passwordless authentication continues to remain elusive.
Credentials authenticate the system back end
Credentials are typically still needed to authenticate the system at some point in the security chain. For example, if you gain access to the office via a hardware token, the system will default to your unique access code when the token is damaged or misplaced. However, the IT admin who logs into the system to analyze the data will use credentials, meaning that passwords are still involved in order to authenticate the system.
These two examples highlight that going truly passwordless is not likely in the near term and passwords will remain part of the authentication mix. Enterprises will continue to use passwords, as they are a cost-effective and scalable solution. In addition, they easily integrate with both legacy and emerging systems and software.
The future includes passwords
For now, the promise of a passwordless world remains a mirage. The most effective strategy for organizations is to adopt a hybrid approach to authentication where passwordless is introduced to reduce user friction and increase security, while still diligently pursuing techniques and practices that strengthen the passwords. A layered approach to authentication is still the best way forward for organizations that want a secure and low-friction process. As our reliance on connected systems continues to grow, password-driven authentication will remain a cornerstone of authentication strategies for many years to come.
About the author
Michael Greene, current CEO of Enzoic, has deep software and cybersecurity experience acquired from a range of different roles with a variety of global high-growth companies. Prior to Enzoic, he was the CEO of ID Watchdog, an identity theft protection company that was sold to Equifax in 2017. Before ID Watchdog, Michael held senior management positions at Symantec, Webroot, Thomson Micromedex, Raindance and Baxter.