We're not ready for passwordless systems—and that's quite alright
Article by ManageEngine vice president Rajesh Ganesan.
We're on the cusp of a new tech era, with advances like driverless cars, human-machine integration, and groundbreaking robotics. So it's somewhat surprising that many online users are relying on passwords. Although passwordless authentication options are gaining prominence, there's a reason why we're still using passwords 60 years after their inception: they're effective.
Unlike facial recognition and other biometric solutions, passwords are either completely right or completely wrong. Currently, biometrics require a margin of error; for example, it has been proven that people can open their relatives' phones via facial recognition apps. Even more importantly, if one's biometric data is ever compromised, it can never be replaced.
Unfortunately, we have already seen a significant breach of biometric data. Last August, web privacy company vpnMentor discovered a breach in Suprema's security platform, Biostar2, which exposed facial recognition data and fingerprint records for one million people. According to vpnMentor, Suprema saved exact copies of users' fingerprints, potentially compromising these individuals' biometric information forever. Companies that store users' biometric data would be wise to utilise hashing or blockchain technology to protect this data. Nevertheless, unlike passwords, biometric data—be it irises, faces, or fingerprints—can not be replaced.
For the time being, passwords are here to stay; however, there are some important things to consider.
Multi-factor authentication is vital
Whether you use password-based authentication or not, your organisation should require multi-factor authentication (MFA). There is no excuse not to employ MFA, especially with the current proliferation of applications that enable such services.
Do not require mandatory password resets
If your organisation does have MFA in place, you should not require the mandatory password resets. In fact, such requirements arguably make your network less safe, as employees tend to write their passwords on Post-It notes at their work stations, and resort to using similar passwords, as well as passwords that are easy for hackers to guess.
As a caveat, if employees change roles within your organisation, it may make sense to require a password reset. Ideally, this reset request should be automated as part of the transfer process.
Require complex passwords
Given that password brute force attacks are still the most common form attack, it is still important to require complex passwords and disallow weak passwords. The National Institute of Standards and Technology recommends requiring long, complex passwords that employees haven't used in the past.
Manage privileged accounts separately
It is wise to consider utilising an enterprise-grade password manager to stay on top of password security issues. Additionally, as privileged accounts are typically shared by a few people in an organisation, you should consider having a separate program to manage these privileged accounts' passwords.
To get certain tasks completed, system administrators should be able to elevate privileges for any given user for a set period, and if necessary, the system admin should be able to disable direct authentication to all privileged accounts.
Look into passwordless authentication options
Despite the effectiveness of passwords, wherever possible, you can look to eliminate or disable password-based authentication. Passwordless authentication, such as one-time passwords (OTPs) sent via email and SMS, are becoming increasingly popular. That said, email may be a safer conduit than SMS, as the latter option can be susceptible to phone networks' vulnerabilities.
Until passwordless authentication options and biometric solutions become more advanced, it is wise to rely on long, complex passwords and multi-factor authentication.
Unlike passwords, biometric solutions—fingerprint modules, iris scanners, and voice recognition systems—require a margin of error. Additionally, as seen in Suprema's biometric database breach, if such an event does occur, users' sensitive biometric data is compromised for life.