Can passwordless logins ever exist outside of web applications?

Security & GRCThreat & Vulnerability Management
1.2k viewscircle icon3 Upvotescircle icon5 Comments
Sort by:
Director of IT in Software4 years ago

FaceID and TouchID without a password fallback should be possible now with technology. Its always the edge cases that warrants the password as a fallback.

Lightbulb on2
vCISO and COO in Software4 years ago

Even with YubiKeys, etc., it's like RSA all over again: I used to have boxes of RSA tokens because everybody kept losing them and we were constantly reassigning tokens. So I see that happening with YubiKey as well and other hard code vendors like that.

Lightbulb on3
CISO in Software4 years ago

Passwordless logins with tokens do work but when you go with passwordless logins, what you rely on instead is something I have that can be stolen. The security of two-factor authentication (2FA) using your phone—as something I have—has already been broken.

Lightbulb on2 circle icon2 Replies
no title4 years ago

@Dan Would like to know more about the broken 2FA on the phone assuming that does not use SMS.

Lightbulb on2
no title4 years ago

SMS, Keys, etc... any of those can physically  stolen and/or cloned.  The bottom line is no 2FA is bulletproof... but it still does SIGNIFICANTLY increase security, as it increases the risk (of getting caught) and difficulty of the attack (e.g. proximity to the target, stealing something physical all increase the likelihood of getting caught).   <br><br>So just saying that 2FA is definitely worth the increase in security,  however have no illusion that it is bulletproof and can 100% prevent fraud. Know the limitations of your technology,  know you&#39;re enemy, and know thyself.

Content you might like

Does someone have advice on how they have balanced the risk/reward as it relates to introducing Open-Source Software to organization? My org is dipping its toe into the OSS world and the architecture and risk governance teams are looking to get ahead of these requests by coming up with policies and standards for OSS technology being brought into our environment. To clarify, this is not for software development and CI/CD pipelines, SDLC etc. This is for installing solutions that already exist out there (Zabbix, GreyLog, Prometheus etc.) into the organization's environment. We are looking to provide a balance on the obvious risk with the ability to move fast (like everyone else now).

Which vendor solutions are being considered to "read, identify and redact information" in unstructured data sets? I'm specifically looking at solutions that can mask / redact or hide content within documents, that allow documents to be consumed but certain piece of information to be hidden.

What are the biggest technical challenges preventing organizations from being able to use their existing data to enable digital transformation?

Finding data and putting it to good use13%

Controlling the security and privacy of data45%

Understanding how data is currently being used20%

All of the above19%

None of the above1%

View Results

We are considering a scanning solution for detecting Personal Information (PI) in our data assets, mainly AWS S3, DynamoDB, Salesforce, etc. We need the solution to detect PI, identify the type (e.g., infotype), and optionally map it to our own PI categories. We are currently considering BigID. Do you have experience with this tool or any other tools that can help us scan across different data platforms and technologies?

Read More Comments

Are CISA's current recommendations for preventing Maui ransomware attacks sufficient?

Yes, if followed correctly.39%

Unsure38%

No, there is still a significant risk.19%

Other (please tell us in the comments)3%

View Results