The password-on-a-sticky-note has become an IT trope, but it turns out that password insecurity is an even bigger problem than many people thought. Researchers with identity governance vendor SailPoint Technologies, in the annual Market Pulse Survey, examined the state of passwords as a means for security, user identity and authentication. What they found probably surprised few people. Essentially, employees not only continue to do things that security professionals warn against, but their cybersecurity habits are actually getting worse, according to SailPoint researchers.
For example, users are reusing passwords across different accounts (75% of survey respondents said they did this, compared with 56% in 2014), reusing passwords for both personal and work accounts (47%), and rarely changing passwords for work accounts (23% do this at most twice a year) and personal accounts (67%).
Such statistics reinforce what many enterprise security officials and those with cybersecurity vendors have been saying for years: Passwords are a poor way to protect a user’s privacy and the vast amounts of sensitive data that companies store. As Robert Ford, senior director in IT Showcase at Microsoft, wrote in a blog post, “Passwords are insecure. Inconvenient. Expensive. Nobody likes them. [insert your preferred reason here]. Even Satya Nadella has said, ‘One of the biggest security issues is passwords.’”
Microsoft is among a large and growing number of tech companies that are developing and supporting alternatives to simple passwords. The options range from two-factor and multi-factor authentication (MFA) and biometrics like fingerprint, face, voice and ear recognition to standards like WebAuthN, emerging technologies like blockchain, and behavioral modeling that takes into account everything from a user’s online habits to their physical locations, their daily routines and the technologies they use. Each of these options has its own challenges, but they all represent a step up from simple passwords.
That doesn’t mean the death of passwords anytime soon, but a password-less authentication future is in the making.
Passwords Weren’t Meant for All This
According to SailPoint CMO Juliette Rizkallah, there is a combination of reasons behind employees’ poor password behaviors.
“First, employees are being pressured to always produce more and are eager to access new applications faster, taking shortcuts in their company security for the sake of productivity,” Rizkallah told ITPro Today in an email. “And second, employees feel that they have no control over data breaches. Data breaches are so numerous, they often feel inevitable, no matter what the employees do or do not do. The recent practice of credential stuffing--when hackers purchase stolen account credentials on the dark web to access corporate data--shows how damaging a bad habit like reusing passwords across accounts can be.”
However, Chris Gonsalves, vice president of research and content at The 2112 Group, said a fundamental problem with passwords is that they weren’t made for such a time when users have dozens of places where passwords are necessary.
“It's misguided to blame the users for the inherent weakness of passwords,” Gonsalves told ITPro Today. “Passwords were never designed to secure the level of access that we now give them control over. A great deal of blood and treasure has been spent in our industry in terms of organizing passwords and encrypting them and irreversibly hashing and salting them to try to turn a fairly flimsy authentication device into something more robust which was never designed to be. We need to all find a better way to secure these accounts.”
It won’t be passwords and their inherent weaknesses, he said, adding, “It isn't possible ... to create 90 to 100 challenging passwords and then remember them all and be able to manage them. It’s an insurmountable organizational problem.”
There are myriad other problems. A survey by Secret Double Octopus, a company with password-free authentication offerings that include MFA and single sign-on, found that 23% of respondents rely on paper notes to remember their passwords, and 14% have shared their passwords with colleagues or other people.
Still, passwords are stubborn things. They’ve been used for years, and users understand them and are fairly comfortable with them.
Alternatives to Passwords
So if not passwords, then what? Two-factor authentication and MFA add another layer of protection, but they often still rely on passwords. They’re also inconvenient: additional steps for every transaction can be frustrating and time-consuming. Biometrics are gaining in use, with laptops, tablets and smartphones increasingly leveraging fingerprint readers as well face recognition software to identify users. They’re much more frictionless than passwords, but they have flaws, including the fact that they can’t be changed. Gonsalves pointed to the breach in 2015 of the U.S. Office of Personnel Management (OPM), in which the sensitive information of 21.5 million people were stolen. That data included fingerprints.
There also have been reports of facial recognition software being fooled by photos and of similar techniques being used to fool other security methods. Fausto Oliveira, principal security architect at cybersecurity vendor Acceptto, said he was recently in China, and whenever he went in or out of the country, his face and fingerprints were scanned.
“That tells you that the Chinese government already has it [and] our own government has it,” Oliveira told ITPro Today. “If somebody has your address or your fingerprints and your face, you fundamentally are breached for life.”
Encryption and protocols also are options. Microsoft, for example, has announced that Edge would join Firefox and Google Chrome in supporting the World Wide Web Consortium’s (W3C) WebAuthN protocol for password-less authentication.
SailPoint’s Rizkallah said security developers also are looking into blockchain for federated authentication, “where the notion of a single source of truth for access is not needed and therefore cannot be exploited. It remains to be seen if we can make blockchain work or if we just evolved password usage toward permission-based access, where each access will be authenticated in a special way involving several technologies such as MFA.”
The User as the Password
One method that’s gaining interest is taking advantage of emerging machine learning algorithms and techniques to track individual user and use their actions, routines and tendencies for authentication. Whether it’s called behavior modeling, cognitive authentication, persona-based authentication or something else, the idea is essentially the same. People are creatures of habit: They tend to get up and get online around the same time each day, in the same area of the world, use the same devices to access the network, communicate in the same language and go to the same websites. If all such traits can be collated, a pattern of behavior emerges, and then anything abnormal that pops out can be seen and questioned.
If a user is known for going online every morning at 7 a.m. on the East Coast, using his Samsung smartphone, going to political news sites and typing commands in English, then someone using the same identity typing commands in Russian using an Apple tablet in Eastern Europe will stand out, and red flags can go up. If that happens, “I'm going to create a challenge to you that might ultimately end up with me making contact with you or sending something to you for some sort of combination of password and two- or multi-factor authentication,” Gonsalves said. “But that won't happen routinely for the most part. You'll be in what's referred to as a zero-login kind of environment or passive logging environment that's dependent upon your particular behaviors and devices that you use and the things that you do.”
Acceptto offers its eGuardian cognitive authentication engine that includes the company’s It’sMe authenticator and uses artificial intelligence (AI) and machine learning to continuously classify, detect and model behavior. It also assigns real-time risk scores to validate a user’s identity before, during and after authentication. It’s frictionless and make sense, Oliveira said.
“This whole cognition and recognition of what is normal versus abnormal is very intuitive,” he said, noting that insurance giant Aetna has begun to use the Acceptto platofrm. “We draw and graph a pattern of habits, events [and] machines that are used. Collectively, we fuse that to establish a graph about the person and their habit about places, about locations, about the number of times they log in, about the type of screen that they use, whether it is a touch screen or not.”
Behavioral modeling has its own challenges, Gonsalves said.
“This isn't perfect, either,” he said. “First of all, there is a privacy issue. It's going to need to know a lot about where you are and what you do, and collect that data in a way that some users won't be comfortable with, so you'll have to cross a certain privacy divide in order to create these behavioral signatures.”
Still, it would mean a leap forward in security. A hacker may be able to fake one or two of the factors that make up the user’s individual profile, but it would difficult to fake them all, Gonsalves said. Even the friction created by notifying the user if an anomaly is detected is worthwhile if it means a more robust security environment.
“I really think that putting biometrics together with behavioral and device-based identities is probably where we're going to be in the next five years,” he said. “I would say five years from now you don't see passwords as a significant authentication control any longer. There's a there's a transition period where people begin to lean more heavily on individual pieces of [of advanced security technologies], and you already see that with biometrics because they're getting comfortable with biometrics. They're pretty good in isolation. They have some problems, so you see the geolocation stuff and the data and the device-based stuff and the behavioral-based biometrics are stacking up as individual pieces. Five years out is when you start to see these things combined in earnest into really robust collections of security controls.”
Identity Is Key
There’s little disagreement that passwords need to give way to some security and authentication methods that are more secure and usable. Tech companies are spending a lot of resources to develop these new methods, but where the industry ends up is unclear. And, in the meantime, passwords will still be around, made somewhat more secure by two-factor authentication and MFA. But identity will be a key for enterprises going forward.
“Today’s users are increasingly a target for hackers, especially as the traditional perimeter has all but disappeared thanks to digital transformation,” SailPoint’s Rizkallah said. “With a company’s users being the common link across today’s IT ecosystem, they have become the new security ‘perimeter.’ As such, employees are now one of the biggest threats to an organization’s security. This is why identity governance has become such a top-level priority for companies today. Identity gives IT teams the full visibility and control they need into all users and the applications and data they are accessing to do their jobs.”