With cyber-attacks on the rise at an alarming rate, simple password-based security measures are no longer fit for purpose. A recent report from think tank, Parliament Street revealed that almost 26,000 mobile phones and computing devices were lost in London in the past year alone. Enterprises need to recognise the potential security risks that lost or stolen devices pose to their businesses.
Since the dawn of the digital age we’ve trusted the password and its ability to protect ourselves online from those who want to harm us. It has been a ubiquitous part of our daily lives for decades, acting as a critical gatekeeper and safeguarding our digital identities and assets.
However, a lot has changed since the early days where users only had a few passwords to remember. The rapid development of ecommerce, self-service sites and social media has meant that we’ve now become accustomed to managing dozens of usernames and passwords daily. From online banking to Facebook and everything in between, memorising a password that is at least eight characters long, has upper-case letters, lower-case letters, numbers and special characters, and is not the same as the one you created 90 days ago – is a nuisance to say the least.
In an attempt to keep ourselves protected online, we tend to fall into either one of two categories: those who use one password for everything, and those who use different passwords across all their accounts and platforms. The problem is neither of these approaches are sufficient or secure anymore. These limitations, matched with the complexity of the reset process, mean passwords have become a source of increased frustration for users, leaving us to wonder - has the password had its day?
Passwords are failing
Despite the technology industry being characterised by rapid change, it’s hard to believe that a solution created nearly 60 years ago still remains the primary method used to protect ourselves digitally. Users want easy, quick and secure authentication- but passwords are no longer a secure solution, with compromised credentials being the top cause of reported data breaches, according to the 2018 Verizon Data Breach Investigations Report.
Malicious hackers have now become masters at attaining passwords and have a lot of powerful tools at their disposal that can crack through tens of millions of possible password combinations in a matter of seconds. This would be less of a problem if many service providers that hold sensitive data could protect this information, yet so often we see serious cases of security lapses exposing reams of sensitive data.
Neither customers nor businesses now see passwords as the ultimate guarantee for keeping data safe. Passwords don’t understand context. They are tied to a user but do not tell you a thing about the security of the device, the app, or the network being used to access business data. Passwords alone cannot stop data from being compromised on jailbroken devices or rogue networks.
As the business landscape shifts and we move further into a mobile-first world, the problem of password security becomes even trickier. According to online portal Statista, by 2020 almost three billion people globally will be using smartphones, with a significant portion being at the enterprise level. Smartphones are almost the perfect platform for business productivity because of their combination of functionality, convenience and connectivity. However, due to widespread adoption, they present added issues for those tasked with authentication and data security.
The new area of authentication
This isn’t to say passwords are completely redundant, and that their death is imminent. It essentially means businesses are beginning to seek other means of authentication that are more convenient and more secure for the end user. Each organisation should design an adaptive security flow that matches the authentication model to the risk of the user’s environment
In a low-risk, high-trust environment, you can get rid of passwords completely. The user can access a device using a biometric marker like a fingerprint and then certificate-based authentication does the rest to enable the user to access all business apps without a password. If the device becomes compromised in any way, business access can automatically be cut off and the risk of data loss quickly mitigated. This is the post-password future.
This post-password framework works well if the device is fully secured and managed by IT.
But what if it is a personal laptop at the user’s home and they really, really need to access their online salesforce.com account? In this case you likely still want the user to enter their password. But you may need more.
Maybe the user is trying to authenticate from a country where you wouldn’t expect them to be. Maybe there was some other suspicious behaviour recently in the user’s account that leads you to believe the password might have been stolen or spoofed. That’s where multi-factor authentication comes in.
Multi-factor authentication (MFA) is a worthy security mechanism for safeguarding enterprise identities because it creates a layered defence that is difficult for an unauthorised person to penetrate. It works by combining two or more independent credentials – something you know (typically a password), something you have (a trusted device that is not easily duplicated, like a phone), or something you are (biometrics). If one factor is compromised or broken, the attacker still has at least one other barrier to breach before successfully breaking through.
MFA is often a silo in a company’s security workflow, acting as a separate solution that requires custom integration, and that often causes irritation for end users. Enterprises should deploy a security solution that can correlate a variety of signals from the user’s environment, including device, app, service, network, geographic location, into an adaptive security flow that match the risk of the user’s environment.
But many companies get very excited by MFA and overuse it, frustrating the end user. When MFA is integrated into the broader security workflow, you can prompt for it only in risky environments. That way MFA is there when needed but doesn’t get in the user’s way when not needed.
In the new era of authentication, a highly secure endpoint obviates the need for a traditional password. Always start with the end goal of getting rid of the password. If there is a concern about compromise, trigger an MFA request. But most importantly, design your adaptive security flow around the user experience. An easy experience will be a secure experience because users will accept the tools and policies you provide instead of working around them.
Ojas Rege, Chief Strategy Officer at MobileIron
- We've also highlighted the best free password managers in this roundup