Change happens at an uneven pace. Take the latest smartphone. The camera still has a lovely shutter click, though digital cameras have long since surpassed shutter cameras. The QWERTY keyboard was designed to solve the problem of jamming in 19th century typewriters. And yes, to open apps and websites alike, we’re still using an idea conceived of 60 years ago for mainframes: the password.
We cling to the password. It’s security’s first, and sometimes disastrously, last line of defense. As surely as we know the camera doesn’t have to click, we know the password can be replaced by stronger factors. In fact, with adaptive and contextual controls, replacing the password means greater security and user experience benefits.
What’s holding us back from moving forward? Here’s a snapshot of the roadblocks and how to overcome them:
Usability
If I work in an organization adverse to change, I’ll stick with passwords. CISOs bring up the user experience first-thing when we talk about passwordless. On the one hand, we’ve had 60 years of struggling with passwords. On the other hand, we’ve had 60 years to get used to password problems. Habituation has kicked in hard. We know the pain of a password, but we’ve come up with a number of workarounds and apps to mitigate them. Moreover, change takes time, and a lot of work. During the transition our workforce will use both passwords and passwordless.
To let go of the password we must make passwordless authentication measurably and significantly easier to use. Ease-of-use must permeate every step of the process: enrollment, logging in, switching devices.
We can point to consumer technology as a leading indicator of ease-of-use. People are already asking their service desks and IT departments for the same convenience they have on their phones. As people get more familiar with Touch ID, Face ID, and phone push authenticators, we can make a smooth transition to passwordless in the enterprise.
Manageability
If I’m short of time and resources, I’ll stick with passwords. Industry estimates have found that password resets comprise 20 to 50 percent of all support tickets. Sure, but here too, we’re used to it. Our help desk has scripts they follow for resetting passwords. Maybe we’ve stood up a self-service app. At the same time, our team already runs at full speed tackling other pressing security concerns. We don’t have time for yet another project, and it’s unclear how much time it will take to manage yet another security product.
To fully embrace passwordless authentication it must have comparable administration and management. For us to succeed, we need to make ease-of-use for the administrator second only to ease-of-use for the end-user. Vendors have to stay fully transparent about what it takes to implement, migrate, and then maintain passwordless products.
CISOs can prove out manageability by piloting products in their environment and for their specific use cases. It’s especially important to see how potential solutions integrate with an enterprise's directory or identity provider, especially given that many of us are coming off of centralizing identity projects.
Defensibility
If I’m worried about new technologies introducing new risks, I’ll stick with passwords. The security risks of passwords are well known and well-established. We’ve added multi-factor and that’s greatly reduced the risk. Moreover, it’s a known risk. New security controls bring unknowns. What happens if the biometrics are stolen? What happens if there are weaknesses in the protocols or their implementations?
To let go of the password we must increase trust in passwordless authentication. Simply evaluating whether a person can log-in or not isn’t sufficient. During that process, we need to evaluate whether we trust this person to log-in, using a combination of adaptive and contextual controls. We need to create greater trust through techniques like risk-based authentication, which will let us innovate with authentication methods without introducing security concerns.
The starting point for defensibility is recent security incidents regarding authentication. Combined with threat intelligence and feedback from the industry’s Information Sharing and Analysis Center (ISAC), this will paint a full picture of how criminals are circumventing authentication today. Add those to the selection checklist to bolster confidence in defensibility. Further, as always, include a red team or penetration test as part of pilot implementations.
We have 60 years of inertia built up in the little password. We’re comfortable. We’ve spent time protecting this string of text. Lots of it. While moving away from the password may improve security, no one wants to pay the price for adopting a technology that’s not ready. However, it’s time to get uncomfortable with passwords, as evolving technology has laid the foundation for a passwordless world.
There are steps security leaders can take today to build confidence in how passwordless affects usability, manageability, and defensibility. When planning out our 2021 roadmaps, now’s the time to include passwordless investigations, evaluations, and pilots.
We won’t have a choice in this matter for much longer. With the consumerization of IT and ubiquity of biometrics, users will expect easy, frictionless access. Even amid the unprecedented change our organizations have undergone the past year, we need to recognize what’s over the horizon, and modernize our approach to authentication.
J. Wolfgang Goerlich, Advisory CISO, Duo Security at Cisco
