Putting Lipstick on a Password?

There’s a saying – “You can put lipstick on a pig but it’s still a pig.”

Well, you can put the word “passwordless” on a password, but it’s still a password.

This might be the strangest thing I’ve seen in 2020. Passwordless products that support password-based multi-factor authentication (MFA). 

If that’s conceptually difficult to understand, you’re not alone. Our customers don’t quite get it either. At a high level it looks something like this:

Basically, in these scenarios a password-based authentication is used as the front door gateway into a user experience managed by a passwordless platform. I know that sounds confusing. Stay with me.

The general idea is that “passwordless platform” acts as a middleware between a multi-factor mobile authenticator app, the user’s workstation, and the identity & application layers. On the back-end, there may also be a password rotation mechanism for increased security. Rather than providing a proprietary mobile app that provides passwordless MFA, the “platform” functions as more of an abstraction layer behind the login experience.

This gives the end-user a choice in which mobile app they can use alongside a password to log into their workstation, while also removing the requirement of a separate mobile authenticator.

Giving the user more choice over their preferred authentication method is great but it is unclear to me what the value this is supposed to provides for an enterprise. What’s wrong with this approach?

You are still using passwords
The fundamental flaw with this methodology is that it does not eliminate the use of passwords. The end-users still need to remember a password. The applications still rely on password-based authentication. The back-end is still storing passwords. I’m not sure this can even be called a “passwordless” initiative.

You now have another password tool to manage
As if the identity management stack wasn’t complicated enough, the addition of an orchestration layer to oversee 3rd party MFA products introduces yet another tool you need to use. I’ve seen passwordless products positioned as a “superior policy management layer” that gives enterprises more control over the login experience. But how is that eliminating the password? And why is a separate product required to do this? Could the admin just use the policy management systems already built into their existing identity provider?

You slow down your passwordless initiatives
I would bet that this approach actually slows down a company’s passwordless initiative. If you are not providing a mobile app for users to login without a password, and you’re keeping passwords enabled at the front door, what expectation is there to go passwordless? There really is no incentive for the end-user to stop using their existing authentication methods.

You spend twice as much on MFA
Buying a passwordless platform and marrying it to a legacy MFA app delivers none of the benefits of password elimination, while maintaining all of the password costs.

If you’ve come this far and are still confused… it’s okay. So am I. We’ve talked about the many differences between passwordless marketing and passwordless MFA – but this topic creates a whole new level of messaging confusion. I’m not sure this approach can be called passwordless by any measure. It seems like a more complicated way to use password-based multi-factor authentication.

In fact it reminds me of a Rube Goldberg machine:

At HYPR we believe that True Passwordless MFA should happen end-to-end. From the user’s mobile device, to their workstation, all the way up to the identity and application layers – passwords can and should be eliminated at every step of the way. It’s that simple.

You can put lipstick on a password. But at the end of the day, it’s still a password.

Want to learn more? Check out the Passwordless Security for a crash course.