Businesses should investigate the multiple possibilities of passwordless innovation as it continues to emerge. They should, however, be aware that passwords will continue to be an integral part of the authentication mix for the foreseeable future, and that they must be secured accordingly.
The idea of passwordless authentication has been gaining traction. According to Gartner, 60 percent of large and multinational organizations will use a passwordless approach to improve security by 2022. While these new authentication tools help to minimize user friction, it’s a little early to assume that passwords will be obsolete.
Users are provided with one or more methods of signing into an application or computer without having to enter a password with passwordless authentication. Many of these new passwordless tools have lower friction, which makes them more appealing to consumers. However, further analysis shows that passwords are still used in the authentication process in some way.
Are passwords still a part of the equation?
Passwords are typically used as a backup or fail-safe in these evolving passwordless authentication solutions in case the device refuses access to a legitimate user. As a result, even though a company has implemented this method of authentication for all apps and services, these accounts almost always have a password as a backup authentication method. This means that, while adopting passwordless authentications, businesses must not overlook password protection.
Authenticating systems on the backend is another area where passwords are still needed. It’s almost impossible in a large company to not have systems or software that need a password for authentication. IT administrators have a heap of passwords for a variety of systems that don’t recognize passwordless single sign-on (SSO) for various reasons. Some of these systems are outdated and are unlikely to be modified to support corporate SSO – so getting rid of or replacing them might be impossible.
In order to enhance protection, organizations must carefully analyze passwordless systems and recognize that passwords are still a factor in many cases. Here are some additional problems to remember when using these invisible authentication solutions:
Hackers Continue to be a Problem
Hackers are quick to find flaws in new authentication tools when they become available. They find vulnerabilities in almost every login alternative, from SIM swapping to deep fakes to phishing. Hackers will continue to search for ways to exploit vulnerabilities as these solutions become more popular, adding to the already heavy workload of security teams.
Challenges Involved with Integration
Overcoming incompatibility with existing systems when implementing a passwordless scheme can be extremely challenging. Converting any of these systems for organizations with a large number of users, hybrid infrastructures, multiple applications, and complex login flows is time-consuming and costly, and organizations should not not take this lightly.
Many of these new developments are revolutionary, but they require latest laptops or smartphones. When a company wants to use biometric authentication, for example, each user must have a system that is up to date and has certain capabilities. In mid-sized to large companies, the cost of doing so is significant. Similarly, hardware tokens require a large investment, which is compounded by the fact that these tokens are often lost, resulting in a recurring expense. This can be challenging for both employees and customers.
OTP-Only Solutions Can be Risky
Some products being marketed as passwordless use an email or SMS-based OTP as a single factor. Given that attackers can hack email accounts, and SIM swapping is still not difficult, depending on these mechanisms as a passwordless authentication solution for something other than low-security applications is risky.
As a result, a better alternative for organizations is to take a hybrid approach to authentication – passwordless can be implemented judiciously to minimize user friction and increase protection, while also following strategies and procedures to improve passwords, which will invariably underpin these “passwordless” solutions for some time.