Although passwordless authentication options are gaining prominence, there is a reason why passwords are still used 60 years after their inception: they are effective
As the world is on the cusp of a new autonomous tech era, with advances like driverless cars, human-machine integration, and groundbreaking robotics, it is still surprising to see organizations rely on passwords. Although passwordless authentication options are gaining prominence, there is a reason why passwords are still used 60 years after their inception: they are effective.
Unlike facial recognition and other biometric solutions, passwords are either completely right or completely wrong. Currently, biometrics require a margin of error; for example, it has been shown that people can open their relatives' phones via facial recognition apps. Even more importantly, if one's biometric data is ever compromised, it can never be replaced.
Last August, web privacy company, vpnMentor, discovered a breach in Suprema's security platform, Biostar2, which exposed facial recognition data and fingerprint records for one million people. According to vpnMentor, Suprema saved exact copies of users' fingerprints, potentially compromising these individuals' biometric information forever. For companies that do store users' biometric data, it is wise to utilize hashing or blockchain technology to protect this data. Nevertheless, unlike passwords, biometric data—be it irises, faces, or fingerprints—cannot be replaced.
For the time being, passwords are here to stay; however, there are some important aspects to consider:
- Multifactor authentication is key: Whether one uses password-based authentication or not, an organization should require multi-factor authentication (MFA). There is no excuse not to employ MFA, especially with the current proliferation of applications that enable such services.
- Do not require mandatory password resets: If an organization does have MFA in place, one definitely should not require the mandatory password resets. In fact, such requirements arguably make the network less safe, as employees tend to write their passwords on Post-It notes at their workstations, and resort to using similar passwords, as well as passwords that are easy for hackers to guess. As a caveat, if employees change roles within an organization, it may make sense to require a password reset. Ideally, this reset request should be automated as part of the transfer process.
- Require complex passwords: Given that password brute force attacks are still the most common form attack, it is still important to require complex passwords and disallow weak passwords. The NIST recommends requiring long, complex passwords that employees have not used in the past.
- Manage privileged accounts separately: It is wise to consider utilizing an enterprise-grade password manager to stay on top of password security issues. Additionally, as privileged accounts are typically shared by a few people in an organization, one should consider having a separate program to manage the passwords for these privileged accounts. To get certain tasks completed, the system administration should be able to elevate privileges for any given user for a set period of time, and if necessary, the system admin should be able to disable direct authentication to all privileged accounts.
- Look into passwordless authentication options: Despite the effectiveness of passwords, wherever possible, one can look to eliminate or disable password-based authentication. Passwordless authentication, such as one-time passwords (OTPs) sent via email and SMS, are becoming increasingly popular. That said, email may be a safer conduit than SMS, as the latter option can be susceptible to phone networks' vulnerabilities.
Until passwordless authentication options and biometric solutions become more advanced, it is wise to rely on long, complex passwords and multi-factor authentication. Unlike passwords, biometric solutions—fingerprint modules, iris scanners, and voice recognition systems—require a margin of error. Additionally, as in the breach of Suprema's biometric database, if such an event does occur, users' sensitive biometric data is compromised for life.
The author is Vice President at ManageEngine