The Password Problem: A Call for Stronger Authentication
Passwords must die.
At least, that was a theme of the Gartner Identity and Access Management Conference I recently attended. And you don’t have to be a security expert to see that our traditional system of “think of something you can easily remember” passwords is broken. Between guessing them, brute force attacks, keyloggers, socially engineered cons, and just breaking in and outright stealing them from a database as in a recent attack on Yahoo, users are in a difficult situation
For one thing, too many of us aren’t using strong passwords to begin with. This year’s breach of millions of Yahoo! Voice user passwords demonstrated our unwillingness to remember long, challenging combinations of numbers, letters and symbols –“password” was the most common password among those stolen. Another problem is that our passwords are only as effective as the security of the organization storing them. It does us no good to have the longest, most cryptic password possible if someone simply breaks in and steals it from our email provider. 2012 was littered with data breaches disclosures of stolen passwords and password hashes from major sites, including LinkedIn, Zappos, eHarmony and Last.fm to name a few.
Given all the password problems we’ve seen lately, it’s time to rethink the situation. Passwords are clearly limited. So what’s the alternative to traditional passwords?
The good news is that technology is catching up to the password problem. A variety of solutions are available from Symantec and others that take advantage of strong authentication technology to keep user accounts and information secure. In fact, these have been around for years, since the days of the first security tokens that generate one-time passwords on a small, portable device. These keep risks lower even in the event that a hacker gains access to a machine, minimizing the opportunity to steal information. But now that we have nearly every employee in the enterprise accessing resources remotely, some organizations feel if everyone carried around a token, they would constantly be lost or stolen, and it would be too hard to manage.
One of today’s commonly used strong authentication alternatives is the use of knowledge-based systems. We’ve all seen this at work on websites such as our bank, where in addition to our password we are asked other security questions based on something you know. This is better than a password alone, but there are certainly shortcomings. With the large amount of personal data we are making public on social media profiles in particular, it’s often not too difficult to find the name of your pet. This limits the value of knowledge-based authentication. Just ask Mat Honan whose attackers were able to piece together information from daisy-chained accounts in order to successfully take over his digital life.
A new system employed by Symantec is risk-based authentication. The risk-based method analyzes user behavior to determine the proper amount of security to apply depending on the current situation. For example, it will analyze the user’s location and the device being used to attempt logging in. When it’s the user’s workstation in corporate headquarters, and they are accessing relatively unimportant information, this would be considered a “low-risk” situation and little or no additional security is required. But if the user is requesting access on an unknown device from an IP address in another country, or trying to access financials or intellectual property, that will send up red flags, depending on the parameters enabled in the system. The user can then be required to perform additional authentication measures, in addition to entering a password, in order to be granted access.
There are a few other promising methods of strong authentication on the horizon that are making their way into the real world. “Somewhat continuous” authentication not only looks at behavior while logging in, but during the session itself to make sure you remain the person in control, which is useful in cases of highly sensitive information in the world of espionage. And other biometric-based methods are in development to further ensure user identity.
Gartner probably had a point. The days of exclusively using simple password protection may be numbered. We’ve seen enough examples to know that it’s not a matter of if a password-only protected account will be compromised, but when. We’re already seeing large consumer services go this route, with the Googles and Yahoos of the world allowing users to turn-on optional two factor authentication. That said, moving to a world where these alternative authentication systems are the norm won’t happen quickly, so don’t be surprised to see attackers entering networks with legitimate, albeit compromised, access credentials for the time being. Moving forward, businesses can’t afford to take any chances, and it’s time that we find the strong authentication system that will work best for us. Until then, most will continue relying on a security control that doesn’t work. Peace of mind will only begin where simple passwords end.