Password Mangers Vs. Passwordless Authentication

Shimrit Tzur-David | April 24, 2019

Password management apps have become a common tool for both the individual consumer and businesses.

On the surface, the attraction of these platforms is understandable.

Password managers provide easy solutions for many of the tasks that go into keeping a handle on login credentials, from managing passwords for different accounts to sharing options between users.

While the adoption of password managers by businesses has been growing rapidly in the recent period, these solutions are not without their flaws.

Far from a perfect solution, password managers fall short on all of the key elements important to any network administrator.

Security

Organized does not mean more secure. Having a password manager doesn’t change the fact that the userS accounts are still accessible by a single authentication factor, meaning they are still susceptible to any type of password related attacks, such as keyloggers, Man in the Middle (MITM) attacks, or password phishing.

Far from improving authentication assurance, password managers actually create a security liability by presenting an enticing target for hackers. Because password managers provide access to all of the credential for a given user (perhaps even an entire company) cybercriminals are spurred to identify flaws that will grant them illicit access to the managers themselves. Last year, researchers identified a series of vulnerabilities in several popular password managers that allow malicious apps to trick the programs into providing account passwords. This in turn opens up a slew of other weaknesses such as the possibility for Man in the Browser (MITB) attacks to phish password managers for information.

Cost of Ownership

Beyond the security issues inseparable from passwords is the financial burden placed on enterprises that continue to use them. For instance, the responsibility on IT to manage the troubleshooting issues that inevitably arise from passwords costs companies money. According to Forester, the cost of a single password reset averages $70. The inability to access accounts due to these technicalities also hurts workflow and generates losses. According to recent industry research, a large percentage of users regularly fail to execute an online transactions or other operations because of password issues. All of the flaws that makes password so expensive still apply when using a password manager.

Identity Management

Likely the worst part about password managers is the false sense of security they give to the administrators who employ them.

Password managers provide nothing when it comes to reinforcing password policies. Employees can still share passwords and IT departments and administrators are still powerless to stop them. Additionally, password managers can be added by users without the knowledge of the organization and can be protected by passwords that don’t abide by IT policies.

Attempts to improve the assurance of passwords may be well intentioned, but in the end of the day, they are only futile attempts to prop up an authentication method long recognized as weak and inefficient. Like other attempts to bolster the password, managers are simply band-aid solutions that only nominally improve user experience, and do little to strengthen security.

That’s why at Secret Double Octopus we’re adamant that the best  way to handle passwords is to get rid of them–and replace them with high assurance, out-of-band, authentication.

The Octopus Authenticator simply dispenses with all of the issues password managers attempt to solve. With no passwords needed to access accounts, users are left with a simple, easy to operate solution that leaves networks safer than they could ever be under a password platform.