Passwords are still the dominant form of user authentication across businesses of all sizes — even with the general recognition from IT and security professionals that passwords are not secure. In fact, the 2017 Verizon Data Breach report indicates that over 70 percent of reported breaches were due to weak user credentials including usernames and passwords.
If there are proof and acknowledgment that passwords are not safe — why are they still so predominant?
The good news is that more than 70 percent of companies will do away with passwords over the next decade. And it’s easy to see why. Enterprises that invest in new authentication methods and compensating controls throughout the next few years will experience 50 percent fewer identity-related security breaches than businesses that don’t. But is this fast enough given the damaging high-profile breaches that have occurred due to use of passwords?
The myths surrounding the strength and impact of passwords continue to prevent a number of businesses from leaving this insufficient and outdated authentication method behind. In this column, we explore the truth to each myth (or lack thereof) as well as a few concrete steps businesses can take to protect themselves in the evolving digital landscape.
Myth #1 – The More Complex a Password, the Stronger It Is
Websites and apps often require users to create passwords using a wide range of characters. But regardless of whether they include a mix of alphanumeric or special characters, users aren’t likely to see much of an increase in the strength of their password. As a spectrum of relative weakness, password strength isn’t prone to many variations. While a password that combines several different characters may be somewhat stronger than one that doesn’t, the differences in strength from this perceived increase in security does not have a significant impact on reducing sophisticated breaches that are commonplace today.
In the same way, complexity proves largely insignificant, length also does little to improve strength. From brute force attacks and rainbow tables that help decipher passwords even when they are hashed to suspicious malware, cybercriminals employ a number of different methods designed to mitigate the effects of increased length and complexity. For example, there are easily accessible tools available on the web to assist in various types of attacks or fraud, such as a keylogger that can capture a password no matter how complex.
What makes passwords so weak is that there does not need to be sophisticated tools deployed to successfully exploit the weakness. Social engineering and phishing attacks have been responsible for some of the higher profile attacks, including the email hack for the DNC during the 2016 U.S. presidential campaign.
Yahoo’s late 2014 breach is an example of the damage hackers can inflict when passwords are used to protect sensitive information. In what was dubbed one of the largest data breaches ever, names, email addresses, telephone numbers, dates of birth and passwords from at least 500 million Yahoo accounts were stolen. By focusing less on the length and complexity of passwords and more on advanced authentication methods, you can keep valuable information from falling into the wrong hands.
Myth #2 – Frequent Password Resets Enhance Security
Though changing a password every week or month may seem like a good idea, it can actually do more harm than good. Given how difficult it can be for users to come up with a new password on the spot, frequent resets typically lead to predictable patterns that fraudsters can easily guess. If, for example, an employee uses the password, “Saftey&Security,” a required reset may lead to a simple variation such as “Saftey&Security123.”
When it comes to organizations that commonly recommend new passwords, one of two problems tend to pop up. Either users make changes that lead to a progressively simpler password, or they introduce complex passwords that are too difficult to remember. And considering the relatively low impact of complexity and length, neither option does much to deter cyber criminals.
Demand for a reset can also prompt users to physically write down passwords that become too lengthy. This security method can put employees as well as the businesses they work for at risk of fraud. Whether it’s posted on a computer monitor or jotted down in a notebook, passwords that are easily accessible to the employees who need them may also become available to fraudsters interested in stealing sensitive information.
Myth #3 – Passwords Improve the User Experience
This is the one area that is perceived to be the reason why passwords are still used in mass. The myth is that it is difficult to get users to change behavior and that passwords provide an acceptable user experience. As seen from some of the above examples, making users continually change passwords and making them more complex is frustrating at a minimum and does virtually nothing to increase security. And when an application is not used often and a password is forgotten or has expired, it can be time-consuming to reset it. This happens to pretty much all of us at one time or another.
What has been missing is an alternative to passwords that provides a superior user experience and can be used across the user base — regardless of platform. The one advantage that passwords have is they are platform agnostic and do not require any additional hardware, like tokens, to deploy.
It is important that the authentication experience is the same or very similar for all users regardless of platform, and is really easy to use. In fact, the more the user does not experience security, the better. Our belief is that with the right approach to identity security, having a more secure solution should not be frustrating for the user to access applications, work or workstations. We call this taking the “F” out of authentication. By “F” we mean friction, factors and frustration. This is the main reason why passwords are still in use because until recent technological advancements for authentication, it has been a frustrating user experience.
Out with the Old, In with the New
As the way we do business changes, so too must the authentication methods used to guard against cybercriminals. Having been involved in more than 81 percent of confirmed data breaches, passwords must give way to intelligent solutions that effectively monitor risk without impeding the user experience.
A layered approach to identity is one way to strike that balance.
By blending together a wide range of technologies — such as mobile identity credentials or adaptive authentication which monitors contextual information to assess risk — these approaches serve to protect users while only involving them when absolutely necessary. Though mobile devices have leveraged authentication codes sent via SMS, this method does little to remove user friction or solve complex security issues. A growing number of businesses are instead turning toward a layered approach using modern techniques that require minimal user action.
Bringing biometrics into your authentication strategy makes a lot of sense — they have started to prove their worth in streamlining access to mobile phones and applications. When paired with a strong identity on your mobile device, you have a very simple yet secure approach that addresses the shortcomings of legacy approaches. While deployments have started, experts predict that 70 percent of enterprises will combine biometric methods with analytics and mobile credentials across multiple use cases in the next five years. And as more businesses recognize the shortcomings of passwords in today’s digital environment, interest in layered approaches to intelligent identity will increase moving forward.
Peeling Back the Layers
Introducing a layered approach within your organization requires adhering to a step-by-step process. Here’s how to get started:
- Set the stage for a trusted identity by leveraging the power of mobile devices. Using familiar touch and swipe interfaces, mobile presents one of the best platforms to host a user’s digital identity. The approach matters, so make sure to assess vendor approaches. With a mobile credential in hand, your users will be able to quickly and easily access networks, applications and sensitive data with ease.
- Before you provision mobile credentials, it’s best to ensure that smartphones or tablets are free of fraud and have no signs of tampering. Checking for jailbroken or rooted devices and assessing device reputation data for indications of malware or any previous indications of fraud help build a strong foundation of trust. Ensure you have enrollment processes that validate the user’s identity and bind it to the device. Whether it’s sending out a secure registration email link or requesting biometric data such as a fingerprint or selfie, there are a number of ways to verify an authorized user.
- When it comes to keeping an eye out for fraud, augment mobile-based credentials with analytics that assess information about users before and during access. Traditional context such as geo-location and time of day access patterns are a great start but layering in behavioral analytics — such as how a user swipes or their movements on a keyboard — are used to ensure each device is being operated by the correct user at all times. If a recognized pattern appears to be broken, step up user authentication can trigger a security challenge such as submitting a fingerprint or taking a selfie. Since this type of verification usually takes a few seconds to complete, the user experience is hardly impacted.
From the complexity of passwords to their effect on the user experience, long-standing myths have created the illusion of security and convenience. A closer look, however, reveals the dwindling ability of passwords to protect businesses and deliver an experience that meets the needs of time-strapped employees. Enjoy the best of both worlds with an approach that ushers in modern digital identities. By passively monitoring risk and only challenging users with easy-to-use authentication tools like fingerprint scanning, a layered approach can keep cybercriminals at bay while also enhancing the user experience.
About the Author:
Ryan Zlockie is the global vice president of authentication at Entrust Datacard. He leads the company’s global software product efforts, as well as the authentication business segment. He has more than 17 years of experience in security technology for global, midsize and startup companies. To learn more, visit www.entrustdatacard.com.