Can The Password Be Killed Off?

After a year that was full to the brim with high profile enterprise data breaches, it’s unsurprising that password security is a hot topic as we venture through 2016.

There’s been a number of announcements from enterprise organisations in the last few months about new, innovative ways they intend to replace passwords and better-secure customer accounts, without compromising ease of access.

Amazon announced they intend to replace credential-based authentication with “selfie” purchasing. Security concerns were raised as to the probability of being able to spoof a live selfie with a picture obtained from social media. However, Amazon countered this by disclosing that their patented technology ensures the selfie is a ‘living, physical person’ is the one in the photograph. This patented 2-step authentication requires that customers not only take a selfie to confirm payment, but will then ask them to “perform certain actions, motions, or gestures” to verify a living person.

MasterCard, somewhat ambitiously perhaps, believe that selfies will “kill off passwords within five years,” announcing that they too will begin accepting selfies and fingerprints in place of passwords in the UK. Other multinational companies are clearly feeling the same, with Windows 10 and Android phones now capable of being unlocked by looking at the camera and Apple Pay has been developed to allow customers to pay in stores using only their fingerprints.

Why are passwords such a concern?

In an increasingly digital world, people are putting more and more of their lives online, through email, social media, online shopping, billing and business accounts. The average person now has around 25 online accounts, each of which store their personal information. Within enterprise, the sheer number of passwords needed on a daily basis – to gain access to CRM systems, marketing automation platforms, social media accounts, email etc. – has made it especially difficult to remember a unique password for every one, and which password corresponds with which account. As a result of this, human behaviour encourages the creation of patterns to assist in the memory game. Employees may be using the same password with one different letter for each account, following a number scale, or simply using the same password for every account! While this may avoid the downtime of resetting multiple passwords on a weekly basis, it does leave corporate systems extremely vulnerable to a data breach.

Some concerning statistics about password security:

• More than 1 in 5 people use the same password for everything
• 58% of people use only a few passwords across all of their accounts.

The sheer number of passwords now in use means more people than ever are vulnerable to being hacked and losing control over their personal information, and the fallout from a data breach can be significantly more damaging when the information at stake is corporate.

What does this mean for business?

Password security is a clear concern for many CIOs, as weak passwords leave their organisations open to a data breach. The actual strength of user passwords can be difficult for organisations to determine, especially as they have likely met the password policy criteria to be set in the first place.

Employees are only human; and to avoid having to speak to helpdesks and reset multiple passwords often they choose simple passwords or those similar to their personal accounts. Regardless of corporate policies on password security, employees will always choose something they can remember – this may be 8 characters long and contain an upper case character and a number or symbol, meeting the security policy – but notwithstanding this, they will most-likely be weak and easy to crack.

Another common practice in enterprise, which actually creates security vulnerabilities, is the requirement for employees to change their password, every 90 days for example. While employees have no choice but to abide by this policy, they are most-likely to change just one character to create a new password, introducing patterns and predictability into the passwords in use across the organisation.

Is it really time to kill off the password?

If passwords are so insecure, surely organisations should be scrapping them immediately and ensuring all employees PCs and mobile devices are equipped with cameras to allow for biometric authentication, just as Amazon and MasterCard are attempting? The reality is that password authentication is not going to disappear tomorrow, as passwords are still the cheapest way to provide authentication - it’s naive to expect every application vendor to provide an alterative to credential-based authentication overnight. If Mark Zuckerberg had only allowed the option of biometric authentication to sign up for Facebook users, it would never have got off the ground!

So, while passwords can’t be completely killed off right now, there are steps you can take to mitigate the risk of passwords leading to a security breach in your organisation. Two solutions that can solve your problem:

• Single Sign-On (SSO) – This allows users to sign in once and not have to enter passwords for any other applications. Where possible, passwords for vendor applications can be replaced by token-based authentication (e.g. SAML). For applications that can only use credentials, these passwords can be automatically generated and inputted by the SSO Solution so employees don’t actually have to remember, know or type them, meaning they can be long, strong and complex.
• Multi-factor authentication (MFA) – require users to authenticate on a second device, so not only does a hacker have to know the employee’s password, they’d need to have access to their smartphone as well!

If you think your organisation could benefit from an SSO solution, why not read our White Paper; TEN Signs You Need SSO.