Employees, customers, trading partners, business leaders, security professionals, and IT executives all share a common need: To properly and securely use their systems, applications, and services, they must verify their identity. And for decades, that has meant studiously typing in a password.
Over the years, password-based identity authentication has changed somewhat—add a capital letter or two, insert a symbol, change it up every six months or so—but the basic process remains the same.
But password-centric authentication has come under a lot of criticism because passwords are too easily hacked, especially with effective, cheap machine learning algorithms that’s widely available on the dark web. And let’s be honest: Users hate putting a lot of mental energy into password creation, so it’s not a surprise that, until fairly recently, the most common passwords were “password” and “abcde” or some variant. Obviously, that’s a big problem.
In his eye-opening book, “Future Crimes,” author and cybersecurity expert Marc Goodman laid out the stark reality. “Given advances in computing power, cloud processing, and crimeware from the digital underground, more than 90% of passwords can be brute-forced and cracked within just a few hours, according to a study by Deloitte Consulting.”
Goodman’s not alone. In fact, Microsoft recently joined the growing number of global organizations concerned about password vulnerability by declaring its intent to move away from passwords for authentication.
So, when your chief information security officer meets with executive staff or presents to the board, he or she may lay out a recommendation on improving identity protection and strengthening authentication procedures that calls for changing the password-centric authentication methodology.
After all, there are plenty of alternatives today that don’t require users to reconfigure their passwords every few months while logging those ever-changing passwords into an Excel spreadsheet or jotting it down on the world’s most favorite source of password recording—the Post-It Note.
Sure, you’ve undoubtedly heard about the move toward multi-factor authentication, a security paradigm that combines something you know (a password), something you have (such as a smart card or a certificate), and something you are (a physical characteristic, such as a fingerprint or a retinal scan).
But while approaches such as biometrics, digital certificates, security tokens, smart cards, user device recognition software, single-sign-on systems, and public key infrastructure all represent steps up from even today’s toughened password standards, there are too many reasons why passwords are likely to stick around for quite some time.
“Passwords, in and of themselves, aren’t the problem,” according to security consultant Kevin Beaver of Principle Logic. “It’s really a matter of a lack of strong password policies and proper policy enforcement.”
“At the heart of the matter is that too many IT and security teams have not properly evaluated the risks associated with password-based authentication, and they have not properly communicated that to management,” he added. “Management doesn’t know what the real problem is, and the users are dragged into this when all they want to do is just do their work without having to jump through hoops to authenticate their identity and access privileges.”
This is an area of risk that demands executives’ attention. After all, identity theft is a global problem, causing enterprises to spend billions of dollars annually to safeguard identities and ensure proper access. And managing passwords has become a cottage industry for many IT vendors, considering that the average business user has 191 passwords—and that 81% of confirmed data breaches are due to passwords.
Of course, that’s not to say that biometrics or similar non-password-based methodologies are impenetrable. Goodman points out that what he calls “Crime U” has posted online videos showing how to hack fingerprint scanners, while researchers have used the popular child’s toy Play-Doh “to create a fingerprint mold good enough to fool 90% of fingerprint readers.”
And getting rid of passwords, or diminishing organizational reliance on them, doesn’t take into account the long-standing dependence users have in working with enterprise applications initially designed for password-based authentication.
“We’d all like to think that the days of single-method authentication are going away, but I’m not sure that’s really true,” says Beaver. “I think that, in many cases, especially for critical legacy applications and databases, that day may be 10 or 20 years away. The increasing use of cloud services and Web-based applications will accelerate the trend because cloud security is not grounded in the traditional password mentality. But we should not kid ourselves to think that we’re all going to throw out our passwords.”
So, what should you ask your CISO about what to do about password-based authentication methods and the move to new approaches?
- Do you know what our current risk exposure is with passwords used by employees, third-party vendors, visitors, and customers? How does that risk potentially impact our business?
- How will alternative approaches fortify our security posture?
- Will those new approaches result in changes to our user experience?
- Have we considered local, national, and global privacy laws in the creation of our authentication protocols?
- What could go wrong, and how are we prepared to deal with it when that does happen?
Mike Perkowski is an award-winning journalist who has covered the technology industry across a wide range of technologies, services, and trends. He helped found and lead many of the most successful media properties serving IT-related markets over the past several decades.