Maybe “World Password Day” Should Be “World Authentication Day”
In case you missed the memo, May 7th is World Password Day. Or maybe you knew it and decided to pass on celebrating, with good reason. Strong and multi-factor authentication has proven to be more secure than passwords.
Passwords have been used for centuries to gain restricted entry or attain exclusive membership. But do we still need them today? Or should I say, are we continuing to use them where something safer and more efficient is in order? It baffles me to see companies still allowing their workers to use weak passwords. Granted, trying to come up with unique, strong passwords is annoying, and they add friction to the user experience. And, while they may make it easy for companies to deploy, they aren’t doing themselves any favors by putting their businesses and customers at risk.
Users are the hacker’s path of least resistance
Hackers will always choose the path of least resistance. They can scan network devices for open ports and misconfigurations, but for every network device, there can be thousands of users. So, duh, why not target users? Employees are a delicacy in satiating the hacker’s malicious appetite for data because they are a path of least resistance. You can read many examples of this in the 2019 Verizon Data Breach Investigations Report. The report found over eighty percent of hacking-related breaches leveraged stolen or weak passwords.
Password fatigue has become widespread, and with so many portals, websites, devices, and applications in use today, we need a better access security model. We need stronger authentication methods that don’t rely so much on human effort. When the same simple, easy to remember password is used for logging into social media, online banking, shopping, healthcare, and other sites, and one is breached, all of the user’s accounts are vulnerable.
Strong and multi-factor authentication uses software to analyze the user request to determine the trust or risk level. High trust, versus low to medium trust, will make the difference in the authentication factors that systems require, based on policy and context. For example, if a high-volume user requests something out of the norm, the authentication system’s risk profile might flag the request as a malicious event, and block the transaction.
Moving beyond passwords
Those who pass on celebrating World Password Day, are more than likely using strong or multi-factor authentication, or risk engine to identify suspicious behavior prior to granting access. Not only does this improve the user experience, but it also enhances the company’s security posture.
As we consider World Password Day, the obvious question is, will passwords go away? And what will replace them? Below are some alternatives:
- Passphrase authentication
- Password-less authentication
- Web browser authentication
- Operating system authentication
- Biometrics authentication
- Multi-factor authentication
New password-less technologies will ease access management while ensuring greater protection of corporate and personal data.
Passwords have been around for generations. And just as many password intrigues went out of fashion, or their purpose expired, passwords for getting into corporate systems will go away, too.
James Quick has over 20 years of experience providing strategy and implementation services in cybersecurity, digital transformation, and digital identity for mostly banking, capital markets, and financial services sectors. He has a successful record of consulting experience from Arthur Andersen, PwC, and EY, where he provided trusted advice on a range of strategic cybersecurity issues. At internet technology innovators like Netscape and Cisco, James led digital transformation programs that delivered cybersecurity protections for customers, increased revenue, and safeguarded their use of the internet. His hands-on approach to implementation produced significant wins at Cisco, where he championed the creation of the digital identity system, which managed the partner and reseller entitlement portal for Cisco Services. At Netscape, he implemented its revolutionary directory server for global clients, which laid the foundations for contemporary digital identity. James has his Ph.D. and MA degrees from Duquesne University and his BA degree from Saint Mary’s University.