Why It’s Time to Nuke the Password

Written by

When Fernando Corbató invented the first security password nearly 60 years ago, he probably didn’t envision that it would still be used as the authentication method to protect most of what data is valuable today.

Users openly admit to password reuse across multiple sites to simply minimize the number of passwords they must remember or change single characters or numbers when prompted to update them. Who can blame them? There are more logins to remember than ever before, and some require to have minimum characters, include numbers, symbols, upper and lower cases, and some force users to reset their passwords regularly.

This results in password-fatigue and weakened protection, leaving businesses vulnerable to attacks, not to mention user frustration. 

Passwords have been falling out of favor for years and not just from a user perspective. Gartner says “password-based, simple authentication is becoming too complex and less effective.” According to the DBIR from Verizon, the number of data breaches arising from weak or stolen passwords has jumped from 63% to 81% between 2016 and 2017.

Businesses would be irresponsible if they continued to rely solely passwords as their main method of identity verification. It’s time to look seriously at how we provide security, and the processes implemented to verify a user’s identity.
 
A promising start: Passwords and two-factor authentication
Passwords have the advantage of being familiar, therefore organizations have looked at ways to make passwords more complex so they are not easily determined by a bad actor using some automated technique.

Two-factor authentication (2FA) was devised to help reinforce the pitfalls associated with password use, but this is still not enough to improve security, even when combined with passwords, and resulted in an industry standoff between security and positive user experience.

Knowledge-based questions and answers are socially engineered easily with the wealth of personal information publicly available. One-time passcodes delivered via SMS, voice call or email can be intercepted, and hard tokens have been compromised by attackers in the past (although more ‘modern’ hard token methods like Yubikeys are a huge positive for both security and usability).

Taking TNT to the password and welcoming modern strategy
Companies are at a crossroads, as cyber-criminals work tirelessly using effective ways of evading passwords and 2FA. Large-scale data breaches means there is a bounty of legitimate credentials available on the dark web from as little as free to $20, according to Experian. What if there were no more credentials to steal and misuse?

Finding a way to remove passwords and secure organizations without negatively impacting user experience can be a tough balancing act. Users must have easy, secure and reliable access to the information they need, when and where they need it. As a result, organizations are moving to new and intriguing methods of authentication where users no longer have to follow complex password policies, nor have the additional cumbersome step to take with some two-factor authentication methods. 

Modern identity and access management conducts risk analysis while remaining invisible to the user through a combination of adaptive access control techniques. Such methods include analysis of the authenticating IP address and comparing it against known bad IP’s associated with anomalous internet infrastructure used by attackers, geo-graphic location analysis, e.g. is the user in a known location, and geo-velocity, e.g. did an improbable travel event occur?

Similarly, other techniques in ensuring that the phone numbers or mobile devices being used hasn’t been subjected to fraudulent activity such as phone porting fraud or an attacker trying to use a virtual number vs. an actual cell phone number. These techniques operate in the background without interfering with the user, while simultaneously providing ultimate protection for the organization. No password required. 

Addressing the password’s long legacy
While 83% of IT decision makers predict their organizations will be password-less in the next five years, some businesses are still hesitant to implement this change and are concerned about what problems could be introduced.

As passwords are deeply rooted in legacy security practices, some resistance is likely when introduced to new processes. Additional educational investment and staff training, potential disruptions to employees’ daily routine and fears of system failures can act as barriers to adopting password-less practices and must be addressed before the password can be retired for good. 

Employees should be aware of the benefits from the start, and most will celebrate the seamless and streamlined experience of only having to complete one login process per day, no hard tokens – which are easily forgotten or lost – and reduced downtime from waiting for multiple password resets or contacting IT support. This, coupled with a comprehensive roll-out strategy by the business, should ensure that employees are on board and engaged. 

A secure and password-less future
The application of adaptive authentication means that passwords can be removed as multiple risk analysis verifies the user’s validity to a higher level of trust. Instead of having to rely on cumbersome passwords and fallible two-factor authentication, modern techniques saves time, saves cost of password resets and saves user frustration, all while effectively securing the enterprise.

Gartner predicts that through the end of 2020, enterprises that invest in new authentication methods and compensating controls will experience 50% fewer identity-related security breaches than peers that do not.

As breaches continue to proliferate and credentials continue to be a high-target value to attackers, organizations must evolve to stay ahead of attacker tactics.

What’s hot on Infosecurity Magazine?