Passwordless doesn’t mean breach-less

The shift towards passwordless authentication is picking up steam. Organisations are moving away from “something you know” (like a password) to “something you have” (a personal device) and “something you are” (identity-based elements like the sound of your voice, your face, your fingerprints, or other biometrics). 

 

This helps lower the risk of user credentials being stolen and used to breach a network and access sensitive information – but even as it gets more advanced, passwordless authentication doesn’t close all the security gaps.

 

What’s the best way for organisations to safely move forward with newer forms of authentication like passwordless, while fortifying themselves against the bad actors that are already looking for ways to outsmart it?

 

Start by taking stock

Moving towards passwordless is much like any other technology rollout – it needs to be thoughtfully planned out. 

 

A sensible first step is to conduct an inventory of all the applications that are being used across the organisation, as well as the authentication methods that they support. Which ones only support user ID and password? Which ones rely on basic forms of MFA, such as having codes texted to a device, versus having some sort of identity-based authentication?

 

This level of inventory will help to clearly identify what forms of authentication the applications users access every day and can support, and which applications are potentially a risk because of their limited ability to support more robust authentication methods.

 

Choosing the right passwordless path

Next, organisations can decide which type of passwordless authentication they’d like to embrace, since it comes in different forms.

 

Face ID (facial recognition) is one of the most popular versions, but it’s not foolproof given the swiftly advancing pace of deepfake technology. With just a tiny bit of effort, a bad actor can conjure up a viable image of someone’s face to fool facial recognition systems and gain access to a device and the systems they have access to.

 

Public figures and individuals who maintain an active presence on social media are particularly juicy potential targets for this “workaround” because they provide plenty of photographic data for bad actors to draw upon to generate a deepfake image.

 

To eliminate this possibility, an alternative might be to go with voice recognition instead – but a similar problem lurks with this form of authentication. Executives who participate in podcasts or appear in YouTube videos are supplying hours’ worth of voice data that can be used to create a credible replica of their voice.

 

Lest this picture seem too bleak, it’s worth remembering that not every organisation is going to have such a large bullseye painted on it, nor is every employee within the organisation going to be a key target. 

 

Another way to get around the deepfake challenges is to consider a risk-based approach to the classification of applications used across the organisation. For instance, taking a “triage” approach, incorporating popular forms of passwordless like facial recognition for lower-tier, less sensitive applications while requiring forms of passwordless that are harder to duplicate, such as fingerprints, for certain highly sensitive applications or for a certain subsection of individuals – perhaps anyone in a “C-suite” position or equivalent. It’s all about finding the right balance between using the authentication methods that provide the greatest protection against threat actors and not hindering user productivity.

 

Keep user experience top of mind

No matter which form of authentication is right for organisations to embrace, the user experience is key. MFA fatigue is, unfortunately, very real, and people are increasingly frustrated with the hoops they must jump through to log into an application: digging up a password, requesting a user code on a separate device, and then hoping to enter it before the ever-ticking countdown clock says it’s expired.

 

To help proactively identify any aspects of authentication that are too burdensome or need to be fine-tuned,  it is worth considering piloting any technologies that are being assessed in small user groups. “Let’s go passwordless on Monday morning for everyone across all our offices!” is not the go-to move here. Instead, it should be rolled out slowly and ensure they’re paying careful attention to the user experience – balancing the need for security with the least possible amount of friction.

 

No silver bullets for risk

The view that passwordless authentication eliminates security breaches is, unfortunately, oversimplified. Passwordless does not mean breach-less. 

 

The best approach is to recognise that authentication is just one layer in a comprehensive security strategy, not a silver bullet for breach prevention. When combined with other advanced security controls, such as zero-trust architectures, information barriers, and sophisticated threat detection and response systems, strong authentication becomes a critical enforcement layer. In doing so, they can defend against unauthorised access, minimise risk around the confidential data within their systems, and protect against today’s threats as they evolve into tomorrow’s challenges. 

 

---

 

Manuel Sanchez is an Information Security and Compliance Specialist at iManage

 

Main image courtesy of iStockPhoto.com and ArtistGNDphotography