Secure Cloudlink warns against some IAMs

IAM vendors who store or replicate passwords are not fit for purpose, warns Secure Cloudlink

The entire password concept needs a complete rethink following data breaches of vendors such as OneLogin and LastPass, says SecureCloudlink

Identity and access management (IAM) systems which store or replicate passwords are “no longer fit for purpose”, according to SecureCloudlink.

Until passwords are eliminated security will continue to be compromised due to the vulnerability of passwords, adds the company.

Both OneLogin and LastPass have suffered security breaches recently, leaving their users needing to change their passwords. But even changing their passwords may not be enough.

David Worrall, CTO of Secure Cloudlink said: “The password usability problem has escalated and the hacks of OneLogin and LastPass only go to reinforce this. Now security vendors, the people who are supposed to protect users, are being hacked.

“The fundamental issue comes down to passwords. IAM vendors who store or require passwords are flawed and do not offer a completely secure solution. It’s not enough to have a complex password or even an encrypted password as these can be stolen and the encryption cracked.”

Gideon Wilkins, VP Sales and Marketing at Secure Cloudlink, adds: “Any product that still depends on a password for authentication and authorisation is clearly a security risk, even those that ‘mask’ the back ended stored password with a biometric front end.

“Although companies claim that they are eliminating the password, in reality they are just hiding them. Passwords are still being stored and replicated behind the scenes and they are spread all over the place, meaning hackers can capture these credentials.”

Secure Cloudlink says the industry needs to break the link between a user’s identity and the authentication method – the password – and look at solutions that do not involve passwords.