Secret agent man
The idea of a password as a security mechanism is sound: One user with an individual identity plus a unique, secret password. In the physical world, this combination often works as it should, since the user’s identity travels with the user (in effect, adding a second factor of identification). In the online realm, well, all security practitioners know the issues.
Today’s average user has dozens (if not more) of credential sets for all of the secure sites she or he uses regularly; online identities are easily searched; passwords are not significantly complex and can often be guessed; users share usernames and passwords with each other and also across multiple, unrelated sites to reduce the difficulty of remembering and managing all of their logins; and the list goes on. Despite known problems with passwords, they persist; typed passwords are currently the primary method for authenticating users to accounts and applications. Why isn’t authentication changing? The answer isn’t as simple as: It’s broken. Fix it.
To be fair, some innovative companies are developing “password-free” authentication tools. While these hold promise, other tools and tricks the have been around for a while haven’t become the gold standards by which every organization operates. Two-factor (2FA) and multi-factor authentication (MFA) have existed for years. Biometrics as an authenticator for technology has been around for decades (no, really!), with IBM introducing its first laptop with a fingerprint scanner back in 2004. Many of today’s smartphones offer fingerprint scans as a security option, but converting the idea for PCs logging into business applications is lagging. Password managers are not yet customary for businesses. Automated identity and access management (IAM) provisioning is not yet ubiquitous. The security industry has the tools, so why the delay?
Beware of pretty faces that you find
“More than anything else,” says Jonathan Sander, VP of Product Strategy at Lieberman Software, “messing with passwords brings the security manager into direct conflict with the business. If the security manager tries to improve the password security on the end user side, they meet immediate resistance because bad passwords are easy passwords. If they attempt to increase password complexity requirements, the user complains. If they demand more frequent password rests, the user complains. If they attempt to introduce multi-factor authentication, the user complains.” Businesses prize efficiency and productivity most highly, and so anything that comes into conflict with efficiency and productivity loses, unless a strong business case can be made. But it’s security!! You, dear reader, are surely thinking. Yes, the security industry understands the hazards of poor password policies and management, and the data to prove that stolen credentials and privilege escalation lead to some of the most frequent and damaging breaches exists. Here’s the issue, though: The business knows cybersecurity is a concern, they read about the breaches, maybe the company has even experienced one, but breaches are just another element of risk management that executives and boards of directors are coming to terms with (albeit slower than security teams would recommend).
Further, execs likely haven’t dug into the root causes of breaches; that’s the security team’s job. So in turn, if security knows passwords are a problem, what’s holding companies back? Red Teamer, Rob “Mubix” Fuller says, “Rights management is hard. Password security is hard, and Single Sign-On (SSO) helps manage that, but it also paints a big ‘bulls eye’ on credentials for that SSO set of credentials.” He adds that security teams can negate the risk of “single point of failure” by also requiring 2FA or MFA, but all of this assumes that organizations’ implemented technologies integrate with SSO, and that’s not always the case.
SSO still requires a user login, however, so we’re still left with a password problem, albeit a slightly smaller one, but one which relies on all of our architecture being up-to-date and accepting of SSO. Another option for passwords is actually an alternative to passwords altogether: Federated identity. Sander feels that what security pros need to be asking themselves isn’t what to do about passwords, but “what they can do to eliminate passwords all together.” He adds that, “The rise of federation, both in the cloud and on premises, is an excellent opportunity to concentrate trust and control systems while simultaneously giving end users what they see as more degrees of freedom.” Like SSO, not every application supports federation yet, and both Sander and Fuller agree that security practitioners need to be pushing vendors to add these capabilities and make integration seamless. Companies whose architecture currently supports federation (or have the ability to upgrade to technology that does), can layer it on top of SSO or enforce 2FA or MFA for stronger security.
A pretty face can hide an evil mind
Even with this approach security relies on user acceptance, but Sander points out that “Our everyday online life is priming us all for this.” For examples, he calls out the “Log in with Facebook” or “Log in with Google” features now prevalent across varied and disparate sites. That feature (or design, depending on your point of view), he says, “has made the idea of using a credential from one place in another something every Joe Web Surfer can understand.” Familiarity breeds acceptance, and Fuller thinks that social media are furthering the password security cause by offering 2FA/MFA as an option rather than a requirement. “Security sometimes sees 2FA/MFA as an ‘all or nothing’ way of doing things, and Google, Facebook, and others are showing us that it’s not; user opt-in is a very effective way of getting 2FA/MFA into an organization.”
Organizations can experiment with “trading” one action for the other, he offers. For instance, if a user adopts 2FA/MFA, that user needs only change her/his password once per year instead of the typical 60/90 days for users who don’t use an additional factor. Science proves that rewarding people for good behavior is a considerably more effective tool than punishing people for bad behavior. Unfortunately, security has a reputation of being the “bad guy” when it comes to things like passwords and account lockouts, but social media is showing us that there is another, successful way of achieving security’s goals.
Ah, be careful what you say
All of this said, federation, 2FA/MFA, and other password alternatives continue to be uncomfortable for the security industry at large despite the known benefits. Just like end users who might be reluctant to adopt new or unfamiliar technology or processes, security practitioners can suffer the same fate. “Part of the problem with password security comes from outdated ideas or even vendor-driven rules, like the ‘password complexity’ requirement dictated by Microsoft in Active Directory,” laments Sander. The industry needs to move past the idea that password security is formulaic, i.e., complexity, uniqueness, and frequent changes will solve the problem. Though Fuller agrees, he adds that until such time when organizations are able to implement and enforce federation and 2FA/MFA, “security teams should focus on length of passwords.” When given a choice, the average user chooses a minimum-length password—because it’s easier to remember—thus those accounts become the “low hanging fruit” and most easily compromised. (A special note to web development teams, if you’re reading this: please do not limit the number or types of characters that can be used in password creation. You’re only perpetuating the problem.)
Or you’ll give yourself away
We also need to accept that the business will push back on any solution or suggestion that requires large-scale process or operational changes that affect end users’ ability to complete their work with relative ease.
It is incumbent upon security managers to make a stronger business case for requirements like 2FA or MFA; the monetary outlay for these are small and the “cost” to the user is insignificant, which makes them attractive to business leaders. Especially when coupled with an explanation of how most breaches are initiated, it’s a practical win-win for everyone involved. Looking more broadly, new solutions need to be developed (like the ones mentioned above, perhaps) that are easy to use, comfortable to the user, and which genuinely affect the security of users’ accounts.