Are passwords passé?


               Everyone knows that 123456 isn’t a good password. Yet not only do people continue to use
               123456, it was actually the most common password of 2016… and 2015, and 2014, and 2013.
               Savvy network administrators try to quash this carelessness by regularly making users change
               their passwords to strings that include a certain number and type of characters. Then the IT
               support team spends its days answering lost password requests, since no one can remember
               how to login. Maybe those IT teams should be grateful; at least the people calling the helpdesk
               aren’t  writing their  passwords  on  sticky  notes that  are  now  hanging  on  their monitors for the
               world to steal which is the practice of about half of any typical user base.



               Multi-factor authentication for the Masses


               There  are  three  factors  used  to  authenticate  identity:  something  you  know,  like  a  password;
               something  you  have,  like  a  fob;  or  something  you  are,  like  a  fingerprint  or  retina.  The  gold
               standard right now is to incorporate at least two of these factors into an IAM program. This is
               called multi-factor authentication, or MFA.

               MFA has been used in critical technology environments, like data centers, for many years. But
               while the server guys were entering PINs in conjunction with using card readers or iris scanners,
               the typical end users were still just using passwords to get into their corporate systems. The
               problems associated with managing physical tokens or biometric data for an entire workforce
               were just too great a burden for most organizations.

               However, smartphones have changed the way end users view MFA. Since most people have a
               smartphone, they’re already carrying a physical token, and since most of them use fingerprint
               recognition to unlock those phones, they’re already using biometrics. Employees may rebel at
               the idea of providing biometric data to their corporations, but they’re not going to mind using
               biometric data to unlock their phones to retrieve a temporary password sent by text.



               Authentication as a Service



               Nobody is against multi-factor authentication. Common sense would indicate that if one lock is
               good, two locks are better. But business leaders have to keep their organizations secure in all
               ways, and they may perceive the cost and difficulty of implementing MFA as a risk as well.

               However, IAM solutions that include MFA don’t have to be hard. Companies can control access
               in the same way they run operational software by using the cloud.





                    43   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.