Everyone is aware that passwords are bad but we’re seemingly held hostage by them. They can be easily stolen and used to take over a user’s account. They’re inconvenient as people tend to forget them, write them on notes, and often reuse them across all different systems and services making the security problems even worse.
Even after acknowledging all of this, passwords and their legacy issues still continue to plague us. Why is it so hard to get rid of them? These are the top 5 challenges enterprises must address if they want to move to a future without passwords:
When people think of password replacement they typically think of biometrics such as face recognition and fingerprint scanning. These tools have become more widespread however aren’t available on every device, especially older mobile phones, laptops, and desktop workstations. Without support for common biometric authentication technologies, it’s difficult to eliminate passwords using biometrics alone where it may take years before every device can be supported.
Many organizations are also wary of accuracy of biometrics where malfunctions or failed authentication attempts fall back to PIN codes and passwords to avoid users being locked out of their accounts. For this reason alone, many enterprises feel they must retain passwords as a means of last resort to allow access to accounts.
Biometrics are one of many ways to eliminate passwords but require more than considerations for convenience. Multiple authentication methods can be combined to overcome these challenges to provide password elimination that’s both convenient and secure.
Biometric authentication relies on the device for enrollment, biometric storage, and user validation. The device communicates to the service to let it know that the user has successfully authenticated. When users replace devices, the data on the old device doesn’t get transferred to the new one where the service has no way of authenticating to the user’s biometric data. The service needs a way to register the new device to the user.
For many organizations, passwords are still the easiest and most convenient way to accomplish device replacements. Although easy, this process opens up risks for bad actors to register replacement devices and hijack user accounts. There are many better alternatives than passwords that provide secure device re-registration that are both more secure and more convenient for the end user.
Most legacy systems use old protocols, such as RADIUS, that rely on passwords. These older systems are difficult to manage and maintain, and typically they use an organizational identity store like LDAP for password authentication. In these situations the identity store needs to continue supporting passwords as long as these legacy systems are in place.
Many organizations stop here not realizing there are solutions to eliminating passwords without having to touch the legacy system. It’s not simple, but usually there are a few workarounds that can be employed depending on the architecture and systems in use.
Many organizations are required to use multi-factor authentication to comply with various identity-related regulations. The easiest way to address multi-factor authentication (MFA) is to keep password-based credentials then implement another factor on top of it such as email-based one-time-codes. Unfortunately not only have these organizations not eliminated passwords, they’ve actually made it even more difficult for users to log in.
With about the same amount of effort to deploy an MFA product, organizations can deploy a completely passwordless solution that’s more secure and more convenient.
Passwords are considered to be very easy to integrate into nearly any system, no matter how old. Every identity management solution supports them out of the box and every service uses them as the default option. However, the more you rely on them the harder it will be to get rid of them in the long run.
The effort required to build a new service or an application that is completely passwordless isn’t much more than would be needed to simply deploy a password-based solution. The latest identity and authentication technologies provide passwordless options that are easy to integrate and maintain.