As authentication methods improve and companies like Microsoft declare the end of the password era is here, some cybersecurity experts argue this may be one of the last Global Password days to be held.
Microsoft Security Corporate Vice President Rob Lefferts last year said his company is delivering new support for password-less sign-in to Azure AD-connected apps via Microsoft Authenticator to replace passwords with a more secure multi-factor sign-in that combines user phone and fingerprint, face, or PIN, in a Sept. 24 blog post last year.
However, that day hasn’t come yet and passwords remain a necessary part of securing data and despite the bold claims are unlikely to go away anytime in the near future, as a result, users need to ensure they use strong passwords which are kept secure.
But despite the importance of having a strong password, researchers recommend users adopt other authentication methods in conjunction with passwords to better secure data.
“Passwords still have their use, but not as a way to uniquely verify a person,” Don Duncan, Security Engineer at NuData Security told SC Media. “They are part of a process where the user shares relevant information on their device, such as their behavioral patterns - and this is the key for a password or verification process.”
Duncan said the best way to develop password hygiene is to use password managers but also cautioned that with the amount of personal data available on the dark web, passwords can’t be trusted to authenticate users and said multilayer solutions that include behavior analytics should be used to verify users. This way, even if a password is compromised, companies can secure accounts by spotting irregularities in login attempts.
For this reason, passwords have become somewhat of a weak link and only serve to benefit the threat actors who manage to steal them, Tom Patterson Chief Trust Officer at Unisys told SC Media.
“Password resets continue to cost companies millions, frustrate users, and enable adversaries, which is why finding better forms of online identification are one of the focus recommendations of the White House’s Cyber Moonshot report just delivered to the President,” Patterson said.
Patterson went on to say that Global Password Day should be a reminder that the vast majority of people’s passwords have already been stolen or are easily available.
Despite the advancements, some cybersecurity experts are banking on other authentication forms all together as authentication become more seamless and privacy regulations strengthen.
Michael Magrath, Director of Global Standards and Regulations at OneSpan, said a recent survey conducted by his firm found more than 60 percent of respondents plan to invest in new multi-factor authentication technologies in 2019.
These include technologies that rely on biometrics and AI/machine learning in an effort to overcome security issues faced by financial institutions and their customers.
“Unlike passwords, modern authentication technologies include “privacy by design” as the foundation,” Magrath said. “ Standards-based authenticators including the FIDO Alliance balance usability with security while protecting privacy.”
Tim Erlin, VP, product management and strategy at Tripwire agreed and suggested we retire ‘world password day’ in favor of ‘world authentication day.’
“The password is the least secure component in most authentication systems, and passwords alone are no longer sufficient,” Erlin said. “World password day is a good day to set up multi-factor authentication everywhere you can.”
Despite doubts concerning how long passwords will be a thing, they are the primary authentication method to access most online data, meaning we should ensure we do our best to keep them secure, according to Peter Galvin Chief Security Officer at nCipher.
“While we're all drowning in passwords, they're what we still trust to give and get access - and for now, they're here to stay,” Galvin said. “Given the lengths to which people will go in order to get their hands on them, we really should be doing as much as possible to keep them safe and secure.”
This is where basic cybersecurity hygiene comes into play as Galvin suggested organizations have a centralized security policy and effective encryption key management to assure control of data across every physical and virtual server on and off premises while promoting users to create and use strong unique passwords.