Cognitive Pitfall over Password Removal
Passwordless vs. MFA: What’s the Difference?
‘vs’ in the title caught my eye.
‘Passwordless’ is generally supposed to mean the state that the password is removed, while MFA is supposed to mean the authentication process that involves multiple authenticators from among password, token and biometrics.
Then, there is room for ‘Passwordless MFA’ , which involves only tokens and biometrics. I wonder how it is possible to find a difference between ‘Passwordless’ and ‘MFA’ where ‘Passwordless MFA’ exists. This may be one of those many conundrums we find in cybersecurity.
Well, a LinkedIn connection had pushed me to think more specifically about what were behind the cognitive pitfall over removal of passwords (= secret credentials). I suspected that there were three possible scenarios -
(1) They may have taken ‘what is not good and helpful enough’ for ‘what is ‘bad and harmful’.
(2) They may have failed to notice that a token, whether PKI-based or otherwise, also carries the attack surface of being stolen or otherwise compromised.
(3) They may have assumed that a Defense surface is a part of an Attack surface in the case of password while an Attack surface is a part of a Defense surface in the case of physical tokens.
And, this ‘Passwordless vs. MFA’ way of thinking might provide a clue to another possible scenario — They may have mixed up the issue of ‘Authenticators’ with that of ‘Deployment of Authenticators.’
Ref: “LOSS of Security Taken for GAIN of Security” https://www.linkedin.com/pulse/loss-security-taken-gain-hitoshi-kokumai/
We wish that the ‘passwordless’ folks had listened to our advice before diving so deep into the cognitive pitfall.
Digital identity blogs collected at https://www.linkedin.com/pulse/collection-digital-identity-comments-hitoshi-kokumai-posted-kokumai/