Password security has undergone a significant transformation over the last few years. As a reaction to the insecure form of identity verification that is logging in with a password, technologies such as two-factor authentication (2FA), multi-factor authentication (MFA), hardware keys, password managers, and the use of biometric-based authentication like fingerprint and facial recognition have dramatically changed the way users validate and verify their identity.
This begs the question - where does that leave passwords in 2019?
We spoke to Adam Kehler and Rob Harvey of Online Business Systems for their thoughts on the matter.
“People want to see passwords go away and have predicted that for a long time but they seem to keep hanging around. [WE] would like to see them go because they really are not a great way to authenticate users, but we need to address them as long as they’re here” - Adam Kehler, Online Business Systems
The death knell of passwords has been invoked for quite some time but passwords continue to persist, despite new advances. The truth is, even with the use of MFA, a password log-in is often the first step.
When considering that a password is ultimately a form of authentication and identity verification, it fails under many measures of security. Passwords are often reused across accounts and are created in very predictable and recognizable matters. Even when users are required to create more complex passwords, they’re done in patterns that are easy to figure out.
This is partly why passwords are considered fairly high-risk and an easily exploitable vector. Kehler even notes that many guidelines around proper password creation and maintenance, such as complexity and change, don’t provide the same kind of protection against hackers as was originally thought.
Security issues with passwords are also worsened with each and every data breach. As millions more passwords flood the internet, malicious actors can use the information to develop patterns or cross-reference them with emails to compromise a wider set of accounts.
Despite their pitfalls and problems, passwords are still used widely across individual devices and organizations.
“For enterprises, it takes a long time to shift paradigms. For them, [Eliminating passwords] might not happen in our generation.” - Rob Harvey
Organizations, especially older ones, are often slow to move and update their existing technologies and processes. It’s easy to look at the rise of fingerprint and facial recognition technology across mobile devices and think passwords are on the way out, but when considering that organizations and enterprises use mobile devices, laptops, applications, and a multitude of other services, it shows how a change to an organization’s identity and account verification can be a major undertaking.
However, that doesn’t mean organizations are stuck with passwords.
Organizations should already start taking advantage of new technologies beyond passwords, especially for their customer base. The use biometrics as a MFA can improve user experience while providing peace of mind, which is increasingly important in a world where security and privacy is a component of a company’s brand trust and perception.
Kehler and Harvey agree that these newer forms of security and authentication have their own vulnerabilities and can be exploited. For example, technology and exploits are being developed that can compromise someone’s biometric information. While a password is easy to change, a thumbprint or facial structure is not.
However, both Kehler and Harvey discourage thinking that these vulnerabilities should prevent the use of new forms of authentication. Despite these potential vulnerabilities, password use carries much more risk for a company’s organization and its customers.
Companies should constantly look for opportunities to improve their password security and identity and account management, internally and externally. While it’s a difficult task, it’s not impossible although it does require an organizational perspective.
It’s easy to think about users individually and imagine having them move past passwords and leverage newer forms of authentication, use MFA, a password manager, or even a hardware key to keep accounts safe. But whether a company wants to use new forms of authentication for their customers or for their own internal department, it requires a heavy organizational move.
Harvey mentions how Google successfully launched their ‘Titan Key’ internally (and then publicly) in order to prevent phishing. The move has been massively successful within the organization, Harvey explains, “because it’s all server-based. [Google has] seen significant drops in phishing attempts and other attack vectors have essentially been shut down.”
However, despite their availability and relatively low cost ($50), Harvey mentions that less than 5% of Google account holders actually use the Titan Key. This shows how the public can face an uphill climb when trying to change such an entrenched behavior as using passwords.
When considering upgrading your password security and identity management, Kehler has some key advice:
“The current trend is to look at identity and access management as a whole from the enterprise level rather than thinking of it only as a service. Tying all access management into a centralized system and using cloud-based access providers can help companies implement new and upcoming rules and guidelines.”
Harvey mentions that newer companies are more likely to leverage newer technologies and processes when it comes to password security and access management. Newer companies are usually cloud-based and have fewer employees but older organizations who are using pre-cloud technology and have a robust workforce will encounter some challenges. However, hybrid identity and access management platforms that account for non-cloud and cloud tech infrastructure are available.
By leveraging identity access management, cloud-based security protocols, and newer tech vendors, you’re able to affect your security’s effectiveness from an infrastructure standpoint rather than just trying to change your employees’ behavior.
Since the use of passwords won’t be going away anytime soon, there is more of an onus on the enterprise and organization to take more responsibility when it comes to password security. As long as compliance standards such as PCI, HIPAA, etc. requires stricter password security, organizations will continue to focus on improving their password security rather than remove their use altogether.
NIST has also published newer guidelines that guide organizations to push for lengthier passwords or passphrases (which are more secure than having users constantly change complex passwords), require customer passwords to be stored using stronger algorithms, reject passwords that appear on breached password lists, and increase usability for password creation, verification, and reset. Organizations who are more developed in this area are also designing password systems on the customer-side to be easy and safe to use, reducing any potential liability in the case of a breach.
As more and more passwords are leaked and discovered due to various data breaches, organizations must provide new ways to keep their customer’s data secure while also ensuring their employees don’t succumb to the same risks. It’s a tricky balance, but there is new technology to take advantage of as long as security leaders are looking at these changes from an organizational perspective.
Interesting in hearing more about this topic? Adam and Rob will be presenting at InfoSec World 2019 in Orlando, Florida next month. Don't miss this highly-anticipated talk!