Dear password, it's not me, it's you.
"Dear password, we've been together for over 28 years now. As a matter of fact, you were my first authentication mode. You made sense at one point in my life when I needed something that simply just worked. Now, you aren't enough for me -- I need more -- something you can't offer. It's time for me to move on and leave you in my past. We grew up together since telnet, we both worked perfectly together with SSH, even though at the time there were better alternatives like keys. But now, I've sat back for too long now and watched others abuse you and I love you too much to watch people treat you like you're nothing but password123 or letmein." Love Always, Alissa Knight
Indeed, passwords are beginning to see their life come to an eventual end as they are retired by organizations seeking alternatives to single-factor authentication using only passwords, especially as companies move to the cloud where employees don't want to memorize every password despite the availability of password vaults such as Lastpass. The fact of the matter is, passwords are only as secure as the level of security awareness of the person setting it and humans will forever be the weakest link in security.
The vulnerability created by passwords as a single form of authentication couldn’t have been better emphasized than in previous worm outbreaks, such as SQL Slammer worm, which propagated using commonly used passwords. Solutions, such as Cyberark have been created to address the problem of the same “domain admin” password being reused across multiple servers in an Active Directory domain. Cyberark enables users to temporarily use a one-time password that expires and can’t be used again once done. This renders any malware that propagates using common passwords unable to pivot across all servers in the network using the same password. But what about end-user passwords?
As cloud apps replace legacy on-premise software, organizations are looking to tie all of their enterprise on-prem and cloud apps together into a single sign-on experience for their users using tools, such as Duo (recently acquired by Cisco for $2.35 Bn) and Okta. The sad state of affairs in password authentication has degraded further as statistics become more widely published on how often passwords are reused across different sites, poorly written web apps that don’t enforce strong password security, and the prevalence of users who never change their password because the app or website doesn’t require it. Scammers are even using recent password dumps made public to email victims with their password, informing them that they hacked their computer and found they were visiting pornography sites, which they would make public if not paid off using bitcoin.
The fact of the matter is, single-factor authentication that just relies on passwords needs to be rendered obsolete as a trusted form of authentication. All web apps should require multi-factor authentication and no longer allow just a password. MFA doesn’t require costly fobs anymore and can easily support code generator apps installed on your mobile phone, such as Microsoft Authenticator or Google Authenticator or at the very least, use email for a one-time code.
Stories, such as the Ashley Madison breach where hackers made off with 40 Million passwords, the 150 Million passwords compromised at MyFitnessPal, and the growing number of password leaks over the past decade, should further underscore the importance of a global move away from passwords.
In an upcoming Aite Group report, I will be examining alternative enterprise solutions to passwords, especially in the context of Fintech and financial services companies; interview users to get first-hand experiences with alternative solutions covering enterprise rollouts; and review lessons learned to help you decide whether or not these solutions are truly "enterprise-ready."
About Alissa Knight
As a senior analyst for Aite Group covering cybersecurity in financial services and healthcare, my role is as a thought leader and trusted advisor to financial institutions, established technology vendors, startups, and venture capital firms.
I focus on providing actionable recommendations to clients by producing research papers, speaking at conferences, interacting with clients, and leading consulting engagements.
My passion professionally is meeting and learning from IT risk management leaders around the world and sharing my views on the disruptive forces in cybersecurity reshaping global markets. My long-term goal is to help as many organizations as possible develop and execute on their strategic plans and focus on their areas of increased risk; bridging silos to effectively manage risk across organizational boundaries; and enable them to pursue intelligent risk taking as a means to long-term value creation through thought-provoking, curated and original content as their trusted advisor in IT risk management.