Passwordless: More Mirage Than Reality

Cyber Security

The concept of “passwordless” authentication has been gaining significant industry and media attention. And for a good reason. Our digital lives are demanding an ever-increasing number of online accounts and services, with security best practices dictating that each requires a strong, unique password in order to ensure data stays safe. Who wouldn’t want an easier way?

That’s the premise behind one-time passwords (OTP), biometrics, pin codes, and other authentication methods presented as passwordless security. Rather than remembering cumbersome passwords, users can authenticate themselves using something they own, know, or are. Some examples include a smartphone, OTP, hardware token, or biometric marker like a fingerprint. While this sounds appealing on the surface, the problem is that, when you dig deeper, these passwordless solutions are still reliant on passwords.

This happens in two primary ways:

Passwordless Solutions Rely on Passwords as a Fallback

If you have an Apple device, chances are you’ve encountered an issue with Touch ID at some point. There are numerous reasons why Touch ID authentication might fail—debris on the button, users’ finger positioning, or issues with system configuration, to name just a few. When these and other issues crop up, what are you prompted to do? Enter your password.

This means that, even if you have Touch ID enabled for every possible app and service, the security of these accounts is really only as good as your password. Hackers can ignore the Touch ID and go directly to a password attack.

Given the rampant problem of password reuse, there’s a good chance that the credentials many people use for their Apple devices have already been exposed. And if a password has been exposed, rest assured that it’s available for all hackers to obtain via the Dark Web.

Of course, this is not a challenge unique to Apple. As these emerging authentication solutions are relatively new, a fallback means of authentication will be required for the foreseeable future. And when you consider that this secondary form of log-in is generally a password, the promise of passwordless remains elusive.

Credentials are Used to Authenticate the System on the Backend

The second factor contributing to the passwordless mirage is that credentials are still typically required to authenticate the system at some point in the security chain.

For example, perhaps you gain access to your office via a hardware token that defaults to your unique access code if/when the token is damaged, or you simply forget it. But what about the IT admin who logs into the system to analyze the data? If they are using a password without a complementing solution to ensure the integrity of their credentials, then the system’s security is still reliant upon password security.

Why Passwords Will Not Disappear Anytime Soon

The two examples outlined above underscore that the passwordless concept is largely smoke and mirrors—at least at this stage of the game. These emerging invisible security strategies have some additional authentication concerns that will require passwords to remain part of authentication security for the foreseeable.

In contrast, passwords still have a lot of appeal to organizations. They are the most affordable and scalable authentication option, which makes them difficult to replace. There are no compatibility issues with passwords which work across all devices, versions, and operating systems.

This is not the case with many of the emerging passwordless solutions, which will require organizations to allocate more budget if they want to increase compatibility. Another benefit of relying on a password is that it’s either correct or not. In contrast, some of the passwordless options rely on probabilistic decision-making, where there is a built-in margin of error.

The Role of Varied and Multiple Layers of Authentication

According to Eric Haller, Experian’s EVP and General Manager of Identity, Fraud, and DataLabs, “Consumers want to be recognized digitally without extra steps to identify themselves…they are open to more practical solutions in today’s digital era.” The willingness may be there on consumers’ part, but the truth is that no single, effective solution for secure authentication exists. These invisible security strategies have their place, but only as part of a broader cybersecurity approach in which multiple layers of authentication are deployed. This brings us back to passwords.

Securing the Password Layer

As mentioned above, it’s incredibly common for people to create simple, easy-to-remember passwords that they then reuse across multiple accounts and services. Ninety-one percent of respondents in one survey acknowledge that this introduces numerous security concerns, yet 59% admit to doing it anyway. It’s unrealistic to expect human behavior to change, particularly in the post-pandemic world where we have more digital interactions in our personal and professional lives than ever before. So, what can organizations do to ensure password security?

Importance of Screening for Compromised Credentials

With data breaches occurring in real-time, the only approach is to screen passwords against a live database of compromised credentials at every login. Whether passwords are used as the primary means of authentication or as a backup for when an invisible security strategy fails, it’s critical that companies are continuously monitoring for the use of exposed credentials. Enzoic’s dynamic compromised credential screening solution allows organizations to automate this process, freeing resources to focus on other areas of cybersecurity while ensuring protection at the password layer.

Don’t Believe the Passwordless Hype

For now, the promise of a passwordless world remains a mirage. While our reliance may wane, the complete elimination of passwords seems unlikely. Therefore, with passwords part of our lives for the foreseeable future, it’s critical that organizations protect the password layer.