Passwords Aren’t Going Anywhere… Except into Hackers’ Hands

Michael Greene
passwords aren't going anywhere
Illustration: © IoT For All

Verizon’s recent Data Breach Investigations Report underscores that stolen credentials remain one of hackers’ most preferred means of entry, with their usage involved in over 80 percent of web application attacks. Many in the security community are seizing on these findings to proclaim them a case for the “passwordless” movement, but nothing could be further from the truth. 

While passwordless authentication solutions can sometimes be used to grant access to IoT devices and connected systems, it would be foolish to assume that the days of relying on passwords for authentication are in the rearview mirror. 

Passwordless Solutions Still Rely on Passwords as a Fallback

If you have an Apple device, there’s a good chance you’ve encountered a problem with Touch ID at some point. There are various reasons why Touch ID authentication might fail—debris on the button, users’ finger positioning, or issues with system configuration, for example. When this happens, the system defaults to asking for a password and the same is true for connected technologies protected by biometrics. 

When viewed from this perspective, the security of these accounts is really only as good as the password. Given the rampant problem of password reuse, there’s a strong likelihood that the credentials deployed as a backup means of authentication have already been exposed and are available to hackers on the Dark Web. Due to the current maturity of biometric technology, a fallback means of authentication will be required for the foreseeable future. And when you consider that this secondary form of log-in is generally a password, the notion of passwordless loses some of its shine. 

Credentials are Required to Authenticate the System on the Back End 

Another issue preventing the promise of passwordless from being realized is that credentials are still generally required to authenticate the system at some point in the security chain. For example, if you gain access to the office via a hardware token, the system will default to your unique access code when the token is damaged or misplaced. However, the IT admin who logs into the system to analyze the data will use credentials, meaning that passwords are still involved to authenticate the system.

Additional Challenges with Alternative Authentication Mechanisms 

The above examples highlight that going truly passwordless is not likely in the near term. However, biometrics and other invisible security strategies also have some additional authentication concerns. For example: 

  • Device/Service Limitations: IoT developers can include biometric scanners on connected devices, but a large portion of the population still utilizes older laptops and phones that don’t support the technology. 
  • User Issues: There have also been documented issues during large-scale biometric implementations in which some users have been unable to authenticate themselves via a particular attribute. Until the technology matures sufficiently to address this incompatibility, these people will need system access via more traditional avenues. 
  • Spoofing Concerns: It’s impossible to update your fingerprint or retina, but the same can’t be said for hackers’ attempts to copy these or other physical attributes. Particularly as deep-fake technology becomes more widespread, it will be even easier for threat actors to capture and reuse people’s biometric identifiers. 

Securing Password Security Through the Password Layer 

In light of these factors, companies should focus on securing the password layer before considering any passwordless solution. While the Verizon report correctly identified that hackers are eager to exploit credentials as a threat vector, with the right approach, organizations can essentially eliminate this vulnerability. 

The most effective strategy is to adopt a hybrid approach to authentication where passwordless is introduced to reduce user friction and increase security, while still diligently pursuing techniques and practices that strengthen the passwords for optimal password security. As our reliance on IoT technology continues to grow, password-driven authentication will remain a cornerstone of authentication strategies for the foreseeable future.

Author
Michael Greene
Michael Greene - CEO, Enzoic
Michael is CEO of Enzoic, a leading provider of compromised credential screening solutions. He has received industry awards including SC Media Reboot Leadership Award for Thought Leadership and Javelin’s Identity Protection Leaders in Prevention, ...
Michael is CEO of Enzoic, a leading provider of compromised credential screening solutions. He has received industry awards including SC Media Reboot Leadership Award for Thought Leadership and Javelin’s Identity Protection Leaders in Prevention, ...