passwordless authentication
IT Security

We’re not ready for passwordless systems—and that’s quite alright

user

By Rajesh Ganesan President, ManageEngine

Published on June 29, 2020

We’re on the cusp of a new tech era, with advances like driverless cars, human-machine integration, and groundbreaking robotics. So it’s somewhat surprising that we’re still relying on passwords. Although passwordless authentication options are gaining prominence, there’s a reason why we’re still using passwords 60 years after their inception: they’re effective.

Unlike facial recognition and other biometric solutions, passwords are either completely right or completely wrong. Currently, biometrics require a margin of error; for example, it has been shown that people can open their relatives’ phones via facial recognition apps. Even more importantly, if one’s biometric data is ever compromised, it can never be replaced.

Unfortunately, we have already seen a major breach of biometric data. Last August, web privacy company vpnMentor discovered a breach in Suprema’s security platform, Biostar2, which exposed facial recognition data and fingerprint records for one million people. According to vpnMentor, Suprema saved exact copies of users’ fingerprints, potentially compromising these individuals’ biometric information forever. For companies that do store users’ biometric data, it’s wise to utilize hashing or blockchain technology to protect this data. Nevertheless, unlike passwords, biometric data—be it irises, faces, or fingerprints—cannot be replaced.

For the time being, passwords are here to stay; however, there are some important things to consider.

It’s wise to use multi-factor authentication.

Whether you use password-based authentication or not, your organization should require multi-factor authentication (MFA). There is no excuse not to employ MFA, especially with the current proliferation of applications that enable such services.

Do not require mandatory password resets.

If your organization does have MFA in place, you definitely should not require the mandatory password resets. In fact, such requirements arguably make your network less safe, as employees tend to write their passwords on Post-It notes at their work stations, and resort to using similar passwords, as well as passwords that are easy for hackers to guess. As a caveat, if employees change roles within your organization, it may make sense to require a password reset. Ideally, this reset request should be automated as part of the transfer process.

Require complex passwords.

Given that password brute force attacks are still the most common form attack, it is still important to require complex passwords and disallow weak passwords. The NIST recommends requiring long, complex passwords that employees haven’t used in the past.

Manage privileged accounts separately.

It is wise to consider utilizing an enterprise grade password manager to stay on top of password security issues. Additionally, as privileged accounts are typically shared by a few people in an organization, you should consider having a separate program to manage the passwords for these privileged accounts. To get certain tasks completed, your system administration should be able to elevate privileges for any given user for a set period of time, and if necessary, your sys admin should also be able to disable direct authentication to all privileged accounts.

Look into passwordless authentication options.

Despite the effectiveness of passwords, wherever possible you can look to eliminate or disable password based authentication. Passwordless authentication, such as one-time passwords (OTPs) sent via email and/or SMS, are becoming increasingly popular. If you decide to introduce a passwordless authentication option for select business accounts, be sure to consider employing two or more options; this way you can effectively remove passwords without compromising your security.

Conclusion

Until passwordless authentication options and biometric solutions become more advanced, it is wise to rely on long, complex passwords and multi-factor authentication. Unlike passwords, biometric solutions—fingerprint modules, iris scanners, and voice recognition systems—require a margin of error. Additionally, as we saw in the breach of Suprema’s biometric database, if such an event does occur, users’ sensitive biometric data is compromised for life.

Put simply, for the time being, passwords are the safest route for your organization to take from a security perspective.

Disclosure: This article was originally published in DisruptionHub.

Leave a comment

Your email address will not be published. Required fields are marked *

68 + = 72