Passwordless Authentication With Legacy Systems: A Comprehensive Guide

We all know the problem; password-based attacks have been on the rise for years now and that curve shows no sign of slowing down. Luckily, the emergence of passwordless authentication did look like it could be a promising solution… but wait. What happens if you have legacy systems? In this post, we will explore the challenges and the solutions of implementing passwordless authentication in legacy systems.

What Are the Security Issues With Legacy Systems?

Legacy systems often lack the latest security updates and features, making them more vulnerable to cyber-attacks overall. They don’t support modern authentication methods either, such as multi-factor authentication or biometrics. This only exacerbates the issue, and requires them to remain reliant on password-based authentication, which we all know, is less secure. However, changing old systems which are ‘holding up’ the rest of the infrastructure, is often not an option. We get it. But something needs to be done here.

‍

The Struggle of Updating Legacy & On-Prem Systems

Legacy systems such as such as Microsoft Terminal Server, legacy on-premises applications and ERP systems (e.g. SAP, Dynamics, etc.) are very often the number one stumbling block for organizations when looking to scope passwordless projects. In our experience, this comes down to the effort, time and money involved in upgrading them to modern authentication solutions that work on SAML, OIDC, or WS-Fed. It’s simply not viable - on too many levels.

But with password-based attacks such as phishing, credential stuffing, and brute force attacks still on the rise, it is obvious the password is no longer considered a reliable form of authentication. Eliminating these types of attacks by using other forms of authentication, such as biometrics or security keys is too attractive a proposition to pass up – even with legacy systems. In fact, it is crucial. So, what is the answer?

Is the Goal Preventing Password-Based Attacks or “Going Passwordless”?

Do you want “passwordless” or do you want to prevent all password-based attacks? Sometimes it pays to zoom out and make sure that we are answering the right problem. Passwordless is a journey that organisations should begin, even from a perspective of reduced management and increased user satisfaction. Passwords are expensive. But as in Pareto's law, 80% of deployments can usually be made passwordless, while the remaining 20% will continue to be password-based. Instead of chasing the new shiny thing, i.e. passwordless, organisations should look for solutions that actually solve the problem: prevent all credential phishing and password-based attacks. In other words, passwordless, is a cool feature, but it is not the overall goal. The goal is to be un-phishable and prevent all password-based attacks.

Going 80% Passwordless With Un-Phishable MFA

Phish-proof MFA is a form of multi-factor authentication that prevents all credential phishing and password-based attacks, and it is also passwordless. Just like any MFA, it uses a combination of something you know (such as a PIN, which only works on a specific device), something you have (a cryptographic key), or something you are (your biometrics) to verify your identity. However, it goes one step further.

Phish-proof MFA ensures that the combination to achieve MFA can only be used on an authentic URL or app. This means, if a user goes to a fake URL, the system won’t prompt the user to use MFA and the user will not have a mechanism to login. It therefore becomes the full stop in any phishing process, and the ultimate goal is achieved. That is, preventing all credential phishing and password-based attacks, including adversary-in-the-middle attacks (AiTM).

Protecting the Password-Only 20% With Un-Phishable MFA

So, what about the legacy systems that cannot be made passwordless?  Well, there are various strategies IT teams can use to secure them, including regular patching and updates, the use of firewalls & other security tools, and the implementation of 1^st generation MFA. But all that involves resources and expertise on an ongoing basis and 1^st generation MFA still does not protect against credential phishing attacks.

Fret not, there is good news. The solution is to require the user to authenticate with phish-proof MFA before they are presented with the password-based login prompt of the legacy system. Additionally, by leveraging standards such as SAML, OIDC, WS-Fed, and WebAuthn, deployment of phish-proof MFA takes just minutes. These standards enable interoperability between different authentication systems, making it easier to deploy across different applications without having to upgrade the legacy systems. For example, a Terminal Server’s URL can be protected by integrating phish-proof MFA with a reverse proxy server, ZTNA, or micro-tunnelling VPN in minutes.

Realizing Cost Savings Without the Need for Change

There is a comparable cost saving when selecting phish-proof MFA over just passwordless MFA. Consider the difference of trying to make the entire organization passwordless, which, as we have discussed, often includes new hardware and software, as well as significant changes to existing systems and processes. In contrast, none of that is required with phish-proof MFA, which can be deployed swiftly using an organisation’s existing infrastructure & devices and which offers a clientless and agentless rollout that is completely self-service for the users. A nice added bonus is that phish-proof MFA is obviously also passwordless (did we mention that?), so the outcome is quicker, easier, safer and better value.

In conclusion, eliminating credential phishing and password-based attacks is a critical goal for any organization that wants to improve its security posture. While passwordless is a feature and it is not always feasible to eliminate passwords entirely, particularly in legacy systems. Phish-proof MFA offers a cost-effective solution that can be deployed quickly and easily, and that protects both legacy and modern systems.

‍If you would like to discuss any of this with us, please feel free to reach out any time.

Additionally, if you are attending infoSecurity Europe this year (20th - 23rd June 2023 @ London ExCel) and would like to come and see us, we will be on stand P111 in the Innovation Zone alongside the UK's Department for Science Innovation & Technology, as a finalist in the most Innovative Cyber Security SME award. Come and find us, or pre-book a meeting by using our contact details linked above.

FAQ 

What are the security issues with legacy systems? Legacy systems often lack the latest security updates and features, making them more vulnerable to cyber-attacks. They may also not support modern authentication methods, such as multi-factor authentication or biometrics, making them reliant on less secure password-based authentication.

What are the disadvantages of passwordless authentication? While passwordless authentication offers many advantages, it can also present challenges. These include the need for additional hardware or software, potential user resistance to new methods, and the difficulty of integrating with legacy systems that do not support modern authentication standards.

Why is passwordless authentication bad? Passwordless authentication is not inherently bad. In fact, it can significantly enhance security by eliminating the risk of password-based attacks. However, it can be challenging to implement, particularly in legacy systems, and may require significant changes to existing processes and infrastructure.

How do you secure a legacy system? Securing a legacy system can involve a variety of strategies, including regular patching and updates, the use of firewalls and other security tools, and the implementation of secure authentication methods. In some cases, it may be necessary to up grade or replace the system to ensure adequate security.