When will my passwords go away?
Don’t hold your breath. There are some interesting changes happening that may move in that direction, but username/password pairs are here to stay, at least for the foreseeable future. Keeping passwords secure, providing end-user self-service, and leveraging passwords for complex enterprise scenarios are things that take valuable time and thought. Planning and preparing are a vital part to the success of your password management projects.
What is new?
You may read or hear rumors about Windows 10. There is a part of Windows that Microsoft is now calling "next generation credentials" that may help pave the way for easier to implement two-factor authentication. I have yet to see the exact scenario but Russell Smith wrote a nice post on the Petri blog that makes some assumptions on the direction. Smith suggests that the technology is going to be geared towards consumers and small businesses.
I am a proud Windows Phone user and have been for some time. I have recently been using the Authenticator app from Microsoft for all of my Microsoft properties (Azure, OneDrive, Outlook.com etc.). This app feels old school. It generates random numbers on my phone. When I access a resource that I have configured to use Authenticator, I provide the random number that is generated on my phone. It feels much like the old ADA card I had with IBM in the mid 1990s but without the cost and complexity of managing the deployment of external device. Very interesting and simple to use.
Google also provides an authenticator app. I’m optimistic that these examples, Windows 10, Microsoft authenticator and Google Authenticator are showing the world how easy it is to use more secure and less vulnerable ways to provide Authentication.
What about the Enterprise?
Planning, planning, and more planning. As a part of my role at Specops Software I work a lot with organizations that are planning out their password management approach. There are many questions they have to ask themselves and their teams. Having a team that represents the needs of different roles in the organization will help ensure adoption and success. New paradigms in password management, especially when they affect the end-users, need to be thought through.
Some of the areas that need attention while planning for password management changes are:
1) What factors are used for Authentication?
a. Knowledge Factor – you know something – username/password, challenge questions, pick a picture (picture recognition)
b. Possession Factor – you have something – smartcard, mobile device verification, token
c. Inherence Factor – you are something – biometrics
2) Is there one set of rules (policies) for all roles in the organization?
a. Typically, no!
b. Some users in the organization should have higher requirements based on impact on business
c. Some users may not be eligible (admins)
d. Do you provide opt-out?
3) How do you guarantee enrollment/registration numbers?
a. Cost savings and operational efficiencies require participation
b. Increase security while maintaining/improving participation can be done with good communication plan
c. Get executive buy in and sponsorship
For more tips to ensure a successful rollout, visit Specops Success Website to download planning guides, best practices and resources that will help you drive user adoption rate.
Kevin Sullivan is the Director of Sales Engineering at Specops Software and a former Program Manager at Microsoft.