It’s Time To Plan For A Future Beyond Passwords
By Wayne Rash
Passwords are a problem. They’re hard to remember, they’re easily stolen, they’re published on the dark web and there are too many of them. According to a study by password management company LastPass, the average number of passwords an employee must remember is 191. Nobody can remember that many passwords.
While it’s no longer necessary to change passwords every 90 days, mainly because that only provides hackers with a fresh supply of old passwords to try when they attack, the fact still is that most people either reuse the same passwords, or they make minor variations of a few passwords. Or worse, they write them down somewhere near their workstation. For example, a US Department of Justice employee was once seen passing through security at a Washington, DC, airport with all of his passwords and login information pasted to the bottom of his government-issued laptop.
Unfortunately, it’s going to get worse as more and more employees find themselves needing to access new cloud services, new on-line services and new websites. This is exacerbated by the trend to use your email address as your user name, which means that one part of your secure login information is now public, leaving your password as the only line of defense.
“Passwords have been around since computers were invented,” said Dan DeMichele, VP product management for LogMeIn, a secure access provider. “They’re not going away, even as we create a more passwordless experience for the end user.”
DeMichele said that 80 percent of breaches are the result of stolen passwords, usually the result of social engineering or phishing attacks. Other attacks, he said, are the result of brute force attacks in which the attacker uses a computer to continually guess the correct password until they’re successful. When a user reuses a password, or uses passwords with only slight variations, it makes the attacker’s job a lot easier.
Remembering Fewer Passwords
One solution to all of those identical or similar passwords is to have only one, or perhaps only a few. DeMichele suggests considering a move to a single sign-on approach, in which your access is managed by a layer of software that authenticates each user, and then passes that authentication along to all of the other applications or access points using either secure handshakes, or long, complex passwords the user never sees.
To make the single sign-on more secure, but still manageable by the IT staff, while being something that users can handle, it helps to add additional factors to the authentication process. Those factors can be smart cards such as those used by the federal government, USB security keys or biometric readers.
The Smartphone Link
A new approach to additional authentication factors, or multifactor authentication is it’s being called, is to consider the user’s smartphone a means of authentication. This works well because most smartphones include a reasonably secure means of authentication of their own. Both Android and Apple phones already use either fingerprints or facial recognition for access, meaning you can use the phone as part of the process.
You’ve probably already found yourself responding to authentication messages in the form of text messages delivered to your phone. This is a means of authentication used by banks, the federal government and other organizations in an effort to prevent fraudulent logins. Unfortunately, authentication via SMS text message isn’t particularly secure because those messages can be spoofed or intercepted, but it’s better than nothing. A better way is to use an authenticator app on your smartphone which doesn’t depend on SMS messaging. Those apps are available from Microsoft, Google and others, including LastPass. Normally a site using an authenticator will say which one to use, or it will allow the use of several.
What You Are
It’s frequently said that good access security should depend on something you know, something you have and something you are. This could mean a password or passphrase, a security token or other device including a smartphone and a means of recognizing you through biometrics.
Your smartphone can handle some forms of biometrics, while other access means can support more extensive means of identifying you. For example, facilities may require you to have your retina or iris scanned or you may have your hand scanned for the unique pattern of blood vessels under your skin.
Likewise, you may be required to present a security token along with your biometrics. Those tokens can take the form of a USB device or for mobile security, a secure Bluetooth key. Any of these, used in combination with another form of authentication, can be reasonably secure without requiring your staff to struggle through endless password resets.
What to Plan For
A good place to start your planning for a password free workplace is the Fido Alliance. The Alliance is dedicated to solving the world’s password problem. The group sets standards for authentication, it certifies products and it conducts training through a series of events. With some study of the organization’s website, you can get a good understanding of what password-free authentication means, and you can find products that are compliant with the Fido standards. For example, Microsoft Windows 10’s authentication has been certified as being FIDO2 compliant, meeting the latest standard.
You can start with a single sign-on solution provided by a variety of vendors. Forrester Research has recently published a study on identity as a service, which should provide a starting point. This market is moving rapidly, so new vendors and new types of solutions are popping up all the time. DeMichele said that LogMeIn will be introducing a comprehensive access control product in December, 2019.
You will also need to start planning for password free access when you purchase IT products for your company. Laptop computers with Windows 10’s Windows Hello will work there. There are Android 7.0 devices that meet the FIDO2 standards. When you procure other equipment, you will need to confirm that it will work with your single sign-on products where that makes sense. And you’ll need to invest in physical security products that move beyond keypads and instead use multifactor authentication.
This may should like a lot of trouble and expense, but for the most part it can be done in stages. For example, you can require that all new laptops support Windows Hello. You can also set a corporate standard based on the Fido Alliance standards, and start working towards that incrementally.
But first, you need to start with the realization that the user name and password combination is irretrievably broken. It’s going to get worse. If you intend to minimize the chances of a company-killing data breach, your only choice is to start now to eliminate the password problem.