BOSTON -- When IT professionals develop a strategy for user password and authentication management, they must consider...
the two key metrics of security and usability.
IT professionals are looking for ways to minimize the reliance on passwords as the lone authentication factor, especially because 81% of hacking breaches occur due to stolen or weak passwords, according to Verizon's 2017 Data Breach Investigations Report. Adding other types of authentication to supplement -- or even replace -- user passwords can ensure security improves without hurting usability.
"Simply put, the world has a password problem," said Brett McDowell, executive director of the FIDO Alliance, based in Wakefield, Mass., here in a session at Identiverse.
A future without passwords?
Types of authentication that only require a single verification factor could be much more secure if users adopted complex, harder-to-predict passwords, but this pushes up against the idea of usability. The need for complex passwords, along with the 90- to 180-day password refreshes that are an industry standard in the enterprise, means that reliance on passwords alone can't meet security and usability standards at the same time.
"If users are being asked to create and remember incredibly complex passwords, IT isn't doing its job," said Don D'Souza, a cybersecurity manager at Fannie Mae, based in Washington, D.C.
IT professionals today are turning to two-factor authentication, relying on biometric and cryptographic methods to supplement passwords. The FIDO Alliance, a user authentication trade association, pushes for two-factor authentication that entirely excludes passwords in their current form.
Brett McDowellexecutive director, FIDO Alliance
McDowell broke down authentication methods into three categories:
- something you know, such as a traditional password or a PIN;
- something you possess, such as a mobile device or a token card; and
- something you are, which includes biometric authentication methods, such as voice, fingerprint or gesture recognition.
The FIDO Alliance advocates for organizations to shift toward the latter two of these options.
"We want to take user vulnerability out of the picture," McDowell said.
Taking away password autonomy from the user could improve security in many areas, but none more directly than phishing. Even if a user falls for a phishing email, his authentication is not compromised if two-factor authentication is in place, because the hacker lacks the cryptographic or biometric authentication access factor.
"With user passwords as a single-factor authentication, the only real protection against phishing is testing and training," D'Souza said.
Trickle-down benefits of new types of authentication
Added types of authentication increase the burden on IT when it comes to privileged access management (PAM) and staying up-to-date on user information. But as organizations move away from passwords entirely, IT doesn't need to worry as much about hackers gaining access to authentication information, because that is only one piece of the puzzle. This also leads to the benefit of cutting down on account access privileges, said Ken Robertson, a principal technologist at GE, based in Boston.
With stronger types of authentication in place, for example, IT can feel more comfortable handing over some simple administrative tasks to users -- thereby limiting its own access to user desktops. IT professionals won't love giving up access privilege, however.
"People typically start a PAM program for password management," Robertson said. "But limiting IT logon use cases minimizes vulnerabilities."
Organizations are taking steps toward multifactor authentication that doesn't include passwords, but the changes can't happen immediately.
"We will have a lot of two-factor authentication across multiple systems in the next few years, and we're looking into ways to limit user passwords," D'Souza said.