Say “password” today and the word will conjure up visions of
a laptop or an application – not secret societies. Still, passwords have played
an important role throughout human history to distinguish between who could and
couldn’t enter a specific area, club or level of access to information.During the American Prohibition Era, patrons often used
passwords to get into a speakeasy or club serving alcohol. Say the wrong word
to the doorman and you were kept out in the cold. Did this system keep lawmen
out? Not at all. Patrons often gave up passwords, while secret agents could
guess many of them. Sometimes they simply pushed right past the doormen.What’s interesting: the same flaws and vulnerabilities that
might compromise a 1920s speakeasy are still bedeviling IT departments in 2019.
Passwords are still a popular strategy when it comes to blocking unwanted
visitors. In fact, they’re often the only cybersecurity defense employed,
leaving many enterprise assets laid bare.
Password WeaknessesThe problem is that passwords are, and have always been,
insecure. They pose a hindrance in today’s cybersecurity industry and research
confirms they are the weakest link. Despite many high-profile breaches that
have seized media headlines, people still practice poor password hygiene in
their personal and professional lives. 81 percent of Americans reuse passwords.
Most users can’t remember long strings of letters and numbers, and the result
is harrowing facts like “123456” and “password” enduring as the most popular
choices.There are the customers and employees that keep their
passwords written on notes tucked into wallets or attached to their monitor.
Some share their passwords with other employees. Leadership often fails their
workforces by not applying industry best practices with regards to password
management.Passwords also impose a burden on an IT workforce. They have
to generate temporary passwords for new employees or users. They are constantly
taking helpdesk calls for customers with lost or forgotten passwords. This eats
up staff hours and budget. Even worse, users actively resent having to remember
more than a dozen passwords for different applications at work and still more
apps at home.The most pressing issue with passwords is that criminals
know they are low-hanging fruit. Ever present phishing scams and an avalanche
of stolen credentials are major threats to most organizations. Attackers launch
credential stuffing attacks with ease, and often guess or crack weak passwords.
Two-factor authentication has helped mitigate these threats, but many attackers
are learning to bypass those controls as well.It certainly seems that not much has changed in the last
hundred years when it comes to the password. As a result, forward-thinking
security leaders have decided to take the password out of the equation
altogether.Going PasswordlessPasswordless strategies are a collection of security
controls that – as you might guess – validate an identity without requiring the
customer or employee to type in a password. Teams have taken different
approaches to going passwordless, with the most effective forms adopting
risk-based adaptive authentication methodology. Adaptive authentication employs
contextual and risk-based analysis to evaluate users and can prevent attackers
from bypassing two-factor authentication or using stolen credentials.Identity is now tied to highly effective factors – unlike a
password, which can be used by virtually anyone who knows (or has stolen) it. A
typical approach would allow seamless access for some users while asking others
to complete a second method of authentication. The decision may be based on multiple
elements such as:· Attributes such as a device fingerprint, IP address or geo-location · Strong second-factor devices including Smart Cards and USB authenticators · Biometrics such as a fingerprint or facial recognition · Behavior analytics that study a user’s behavior over timeAdaptive authentication doesn’t exist in a vacuum; the
evaluation workflows can be programmed to match security policies and changing
risk factors. By acting as a form of attribute-based access control (ABAC),
adaptive authentication removes the headaches of password management as well as
its inherent security weaknesses. This holds true even when teams implement
standards like FIDO2 (fast identity online) and Web Authentication, which
leverage devices to easily authenticate users.Passwordless In ActionHere’s how a passwordless approach can bolster security,
increase customer satisfaction and improve workforce productivity. In a typical
user name and password approach, a customer logs into their online banking
account and realizes they have forgotten their password. They follow the steps
for requesting a temporary password, receive the email to log in and create a
new one, and go on to complete their transaction. To ensure they don’t forget
the new password, they carefully write it down in several places – making it
easy for someone else to use the password and user name to access and drain
their savings account.With passwordless authentication, the online application
verifies the customer’s identity through their device fingerprint and other
risk factors. If any of the factors seem “off,” the customer receives a
notification on their phone to confirm the transaction – and it’s authorized or
rejected according to their feedback.This contextual request for additional validation can be
applied to workforce users as well. Employees can be quickly evaluated through
their IP address, geo-location, and device fingerprint to determine if their
request for access fits the right historical parameters. If an employee works
from home one day, and their IP address no longer matches their recorded data,
they receive a signal on their personal cell phone requesting confirmation.
Once they respond that their session is legitimate, machine learning based
analysis factors their home IP address into their behavior – and the employee
can work from home without that additional step in the future.Let’s say, however, the employee needs to make a high-value
transaction that day, such as transferring a large sum of money from one
company account to another. In that case, adaptive authentication can require a
higher hurdle to clear before they can complete that critical transaction. This
is another way that your risk-based policies can be applied to ensure the right
customers and employees are initiating the request.Evolving Beyond PasswordsPasswordless authentication may sound scary to the
uninitiated, but the move towards device and biometric based technology,
combined with adaptive risk checks, offer a stronger level of security
partnered with a superior user experience. With today’s flexible identity
platforms, IT leaders can secure all identities across cloud, hybrid and on
premises. There’s no better time to evolve towards new advances in identity
security.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
