Why We’re Not Ready For Passwordless Systems

Passwords are here to stay for the time being. So how can we optimise them?

Seeing as we’re on the cusp of driverless cars, human-machine integration, and ground-breaking robotics it’s surprising that we’re still relying on passwords. Although passwordless authentication options are gaining prominence, there’s a reason why we’re still using passwords 60 years after their inception: they’re effective. 

Unlike facial recognition and other biometric solutions, passwords are either completely right or completely wrong. Currently, biometrics require a margin of error; for example, it has been shown that people can open their relatives’ phones via facial recognition apps. Even more importantly, if one’s biometric data is ever compromised, it can never be replaced. 

Unfortunately, we’ve already seen a major breach of biometric data. In August 2019, web privacy company vpnMentor discovered a breach in Suprema’s security platform, Biostar2, which exposed facial recognition data and fingerprint records for one million people. According to vpnMentor, Suprema saved exact copies of users’ fingerprints, potentially compromising these individuals’ biometric information forever. 

For companies that do store users’ biometric data, it’s wise to utilise hashing or blockchain technology to protect this data. Nevertheless, unlike passwords, biometric data – be it irises, faces, or fingerprints – cannot be replaced.

For the time being then, passwords are here to stay. However, for them to be fully optimised there are some important things to consider. 

Multifactor authentication is key

Whether you use password-based authentication or not, your organisation should require multi-factor authentication (MFA). There is no excuse not to employ MFA, especially with the current proliferation of applications that enable such services. 

Do not require mandatory password resets

If your organisation does have MFA in place, you definitely should not require mandatory password resets. In fact, such requirements arguably make your network less safe, as employees tend to write their passwords on Post-It notes at their workstations, and resort to using similar passwords, as well as passwords that are easy for hackers to guess.

As a caveat, if employees change roles within your organisation, it may make sense to require a password reset. Ideally, this reset request should be automated as part of the transfer process. 

Require complex passwords

Given that password brute force attacks (the attempt to crack it using a trial and error approach) are still the most common form of attack, it is still important to require complex passwords and disallow weak passwords. The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, recommends requiring long, complex passwords that employees haven’t used in the past. 

Manage privileged accounts separately

It is wise to consider utilising an enterprise grade password manager to stay on top of password security issues. Additionally, as privileged accounts are typically shared by a few people in an organisation, you should consider having a separate program to manage the passwords for these privileged accounts. 

To get certain tasks completed, your system administration should be able to elevate privileges for any given user for a set period of time, and if necessary, the system admin should be able to disable direct authentication to all privileged accounts. 

Start the transition to passwordless authentication options

Despite the effectiveness of passwords, wherever possible you can look to eliminate or disable password-based authentication. Passwordless authentication, such as one-time passwords (OTPs) sent via email and SMS, are becoming increasingly popular. 

If you decide to introduce a passwordless authentication option for select business accounts, be sure to consider employing two or more options; this way you can effectively remove passwords without compromising your security. 

Conclusion

Until passwordless authentication options and biometric solutions become more advanced, it is wise to rely on long, complex passwords and multi-factor authentication. Unlike passwords, biometric solutions – fingerprint modules, iris scanners, and voice recognition systems – require a margin of error and, once compromised, the data is compromised for life. 

That’s why, for the time being, passwords will remain the safest route for your organisation to take from a security perspective.

For more insights from our expert guest contributors, subscribe to our weekly newsletter.