Why passwordless is not always passwordless

The concept of passwordless authentication has been gathering steam. Gartner anticipates that by 2022, 60% of large and global enterprises will implement some sort of passwordless solution to enhance security. While these emerging authentication tools help reduce user friction, the perception that passwords will no longer be required is a little premature.

These invisible security strategies are touted as the panacea to the password problem. Rather than the user remembering a cumbersome password, they can authenticate themselves using something they own, know, are, or some combination of the three.

With passwordless authentication, users are presented with one or multiple methods of signing into an application or device without the need to enter a password. This can take the form of email-based or SMS-based one-time passwords (OTP), biometrics, or hardware token-based authentication methods. All these emerging passwordless tools have less friction which increases their appeal with users. However, once you investigate, passwords are still involved in some shape or form in the authentication process.

How are passwords still in the mix?

With these emerging passwordless authentication solutions, passwords are frequently the fallback or fail-safe if the system denies access to a valid user. For example, if you encounter a problem with biometric authentication, such as when you need to wear a mask indoors and the facial scan doesn’t work, the system will default to prompting you to enter a password.

The same is true for fingerprint readers. Therefore, even if an organization has adopted this form of authentication for every app and service, these accounts still usually have a password involved as backup authentication. This means that enterprises can’t forget about password security despite embracing passwordless authentications.

Some systems are angling to eliminate this fallback reliance on passwords by using device-local biometrics and PINs to unlock asymmetric encryption keys that are then used to authenticate against a server.

Microsoft’s Windows Hello is a notable example and – under the right circumstances – it can be used to theoretically eliminate passwords from Active Directory. However, in its current form, there are no great solutions for accessing your account from non-Microsoft devices, such as accessing corporate Exchange email in a browser or from an iPhone or Android device. Typically, these types of use cases will still involve using a password that must be maintained for the user.

Another area where credentials are still required is authenticating systems on the backend. In large organizations, it’s almost impossible not to have systems or applications that require a password for authentication. IT administrators are notoriously hip-deep in credentials for all sorts of systems that don’t support passwordless single sign-on (SSO) for one reason or another. Some of these systems are legacy and aren’t likely to be updated to support corporate SSO – and eliminating or replacing them may just not be an option.

Organizations must carefully evaluate passwordless systems as they strive to improve security and understand that passwords are often still a factor. Some additional challenges to consider with these invisible authentication solutions include:

1. Cost implications: Many of these emerging technologies are innovative but require users to own the latest smartphone or laptop. For example, if organizations want to use biometric authentication, then every user needs an up-to-date device with those capabilities. The cost of doing this in mid-sized to large organizations is substantial. Likewise, hardware tokens require a significant investment coupled with the fact that these tokens are often lost, so the cost is recurring. This is a challenge for both employee and customer/user accounts.

2. Integration burden: Even more challenging when trying to roll out a passwordless system is overcoming the incompatibility with legacy systems. Converting all these systems for organizations with a lot of users, multiple apps, hybrid infrastructures, and complex login flows makes it both laborious and expensive, and organizations should not undertake this project lightly. Passwords, by contrast, are universally compatible and work across all devices, versions, and operating systems.

3. Can increase risk from lost/stolen devices: Since many of the passwordless approaches rely on tying a user to a device if that device is lost or stolen, an attacker may be able to gain access to a plethora of corporate resources via SSO by, for example, spoofing a biometric.

4. Hackers are still a problem: As new authentication tools emerge, hackers are quick to find vulnerabilities in them. From deep fakes to SIM swapping to phishing, hackers find loopholes almost as soon as these password alternatives appear. As these solutions become commonplace, hackers will continue to look for ways to exploit any vulnerabilities, which will only add to the workload of already overburdened security teams. We have already seen biometric databases leaked and hacked, and as cited above, once this data is leaked, you cannot change your face or fingerprints like you can a password.

5. OTP-only solutions have an Achilles heel: There are some products being touted as passwordless which rely on email or SMS-based OTP as a single factor. Given that attackers can and do breach email accounts, and SIM swapping is still not nearly difficult enough, relying on these mechanisms as a passwordless authentication approach for anything more than low security applications is probably asking for trouble.

With these challenges, a better strategy for organizations is to adopt a hybrid approach to authentication where passwordless is judiciously introduced to reduce user friction and increase security, while still diligently pursuing techniques and practices that strengthen the passwords, which will invariably continue to underlie these “passwordless” solutions for some time to come.

Remember, the problem with passwords is down to poor password policy adopted by organizations coupled with user behavior rather than the actual password. Therefore, a layered approach to authentication is still the best way for organizations that want a robust, secure, and low-friction process.

Passwordless innovation will continue to emerge, and organizations should explore the different options. However, they need to recognize that passwords will remain a vital part of the authentication mix for the foreseeable future and should still be secured accordingly.