Buyer Beware: Passwordless Doesn’t Always Mean “No-Passwords”
Updated: Dec 30, 2019
Many vendors hype the elimination of passwords only for you to discover in the fine print that they are simply masking user credentials stored on the phone or pointing to them in a central repository. This type of “password masking” is generally built to provide user convenience rather than stronger security. For example, on an iOS device, if a user fails a Face ID scan, they fall back to a passcode for authentication. Even on Microsoft’s Windows Hello biometric solution, if a user fails the biometric scan they’re presented a PIN code for authentication.
It’s important, especially for enterprise organizations, to realize that password masking does not reduce risk. Compromised user credentials and passwords can still be used by bad actors to access an organization’s IT infrastructure through unprotected back end systems.
While many vendors promise the elimination of passwords, most only do part of the job or do it in a very narrow way on limited devices and platforms. There are only a handful of solutions that can truly eliminate passwords throughout an organization through various means of secure multi-factor authentication tools that don’t rely on fallbacks to PIN or passcodes.
True “no-password” passwordless solutions don’t rely on passwords anywhere in the data center or the cloud. Instead, biometric factors such as fingerprints and facial scans are combined with trusted devices that are bound to the account to create a strong, secure means of authentication that is extremely difficult to lose, forget, steal or guess. When users log in to their account with a true passwordless solution, they never provide a password nor is any system expecting a password to be shared as part of the authentication process. Even federated systems can use the validation offered by the passwordless solution vs. password-based credentials from a directory store.
The best no-password, passwordless solutions begin with the concept of simple password elimination and then add centralized risk intelligence and decisioning, broad orchestration, integration, and support for multiple authentication scenarios including online and offline access.
To learn more about eliminating passwords in your organization, please visit the Enterprise Password Replacement product page to download our new solution brief to learn how Transmit Security eliminates passwords using a continuous adaptive risk approach that’s safer and more secure than any other passwordless or “passwordless” solution available today.