Passwords Aren’t Going Anywhere… Except into Hackers’ Hands
Michael GreeneMichael Greene
Verizon’s recent Data Breach Investigations Report underscores that stolen credentials remain one of hackers’ most preferred means of entry, with their usage involved in over 80 percent of web application attacks. Many in the security community are seizing on these findings to proclaim them a case for the “passwordless” movement, but nothing could be further from the truth.
While passwordless authentication solutions can sometimes be used to grant access to IoT devices and connected systems, it would be foolish to assume that the days of relying on passwords for authentication are in the rearview mirror.
'While passwordless authentication solutions can sometimes be used to grant access to IoT devices and connected systems, the days of relying on passwords for authentication are not over.' -Michael Greene
If you have an Apple device, there’s a good chance you’ve encountered a problem with Touch ID at some point. There are various reasons why Touch ID authentication might fail—debris on the button, users’ finger positioning, or issues with system configuration, for example. When this happens, the system defaults to asking for a password and the same is true for connected technologies protected by biometrics.
When viewed from this perspective, the security of these accounts is really only as good as the password. Given the rampant problem of password reuse, there’s a strong likelihood that the credentials deployed as a backup means of authentication have already been exposed and are available to hackers on the Dark Web. Due to the current maturity of biometric technology, a fallback means of authentication will be required for the foreseeable future. And when you consider that this secondary form of log-in is generally a password, the notion of passwordless loses some of its shine.
Another issue preventing the promise of passwordless from being realized is that credentials are still generally required to authenticate the system at some point in the security chain. For example, if you gain access to the office via a hardware token, the system will default to your unique access code when the token is damaged or misplaced. However, the IT admin who logs into the system to analyze the data will use credentials, meaning that passwords are still involved to authenticate the system.
The above examples highlight that going truly passwordless is not likely in the near term. However, biometrics and other invisible security strategies also have some additional authentication concerns. For example:
In light of these factors, companies should focus on securing the password layer before considering any passwordless solution. While the Verizon report correctly identified that hackers are eager to exploit credentials as a threat vector, with the right approach, organizations can essentially eliminate this vulnerability.
The most effective strategy is to adopt a hybrid approach to authentication where passwordless is introduced to reduce user friction and increase security, while still diligently pursuing techniques and practices that strengthen the passwords for optimal password security. As our reliance on IoT technology continues to grow, password-driven authentication will remain a cornerstone of authentication strategies for the foreseeable future.
The Most Comprehensive IoT Newsletter for Enterprises
Showcasing the highest-quality content, resources, news, and insights from the world of the Internet of Things. Subscribe to remain informed and up-to-date.
New Podcast Episode
Related Articles