Passwords are not dead so more needs to be done to ensure proper access
Dean Wiech, managing director, Tools4ever
Much has been written about passwords in the last few months, and numerous studies have shown very disturbing trends, especially as it relates to passwords in the corporate environment.
One study pointed out that 12% of employees are willing to let co-workers utilize a password for various business applications; 20% admit to sharing their company email passwords; and 10% enable others to use a device that can access the company network. While these are certainly eye-opening statistics, the most disturbing survey result is one that shows more than one in four U.S. workers would sell their password to an outsider and nearly half would do so for less than $1,000.
So what is a company to do? Password policies can be adopted and published and employees can be required to acknowledge and sign them but it does not guarantee compliance. Many companies already have implemented complex password policies along with requiring password changes on regular basis. While this can reduce the risk associated with outsiders attempting to hack into the network, it has accomplished nothing if the employee is sharing or selling their passwords.
Two-factor authentication has been the most common “add-on” to attempt to secure the use of passwords.
The issue is that many of the two-factor solutions do not prevent sharing. Sure, it is hard to lend a fingerprint to someone to login into a machine, but PIN codes delivered via SMS can easily be texted to a colleague, or someone outside the organization. Additionally, recent reports point out that a device may be stolen or the SMS delivery spoofed, which negates the security of the SMS PIN code.
Almost all methodologies of two-factor, with the exception of biometrics, rely on the user keeping that second factor secure. While biometric technologies are readily available and easy to implement, they are not necessarily inexpensive. The cost to equip every computer in a large organization, and implement the software to handle the readers, can be a time consuming and expensive task. Plus, it is an extra piece of hardware for laptop users to carry around if their machine does not have a reader built in.
This is why several companies are looking to take advantage of the built in camera on many devices for “live” facial recognition – requiring multiple photos with varying facial expressions – to enhance the username and password, or replace it altogether. Similar to biometrics, the expense of adding a camera to every desktop can be daunting.
One of the most interesting technologies is an algorithm that evaluates the way a person types and moves their mouse. Commonly referred to as keystroke dynamics, the program builds up a profile of the users input patterns. If there is a sudden departure from the norm, it can automatically close the session and ask the user to revalidate, again with a password and PIN. The advantages of this technique are that it is relatively easy to deploy, requires no additional hardware, and can protect from insider threats as well as a breach attempt.
Other behavioral techniques can be utilized to secure authorizations as well. For example, if an employee normally logs in to the network only from the office between 8 a.m. and 5 p.m., but suddenly appears to be attempting a login from Zambia at midnight, you can be pretty sure it is a hacker. Limiting IP addresses, time of access and geo-fencing are great, non-invasive tools to secure the network and application access without inconveniencing the vast majority of users.
Although many organizations are touting the “death of the password,” the likelihood of that in the near term is not probable; at least not until an easy-to-use, inexpensive and easy to implement solution becomes available. The technology also needs to be able to be used by multiple hardware platforms, operating systems and browsers. The reasons passwords are hard to dislodge as an authentication method is that they are virtually technology independent and can be utilized from any device.
There are a tremendous number of technologies available to add a layer of security to password usage. With more than 750 million compromised accounts last year, it is imperative that organizations start taking steps to further secure their networks and applications with something in addition to the password. And that “something” needs to take into account the fact that all misuse of the company’s network, applications and data, whether intentional or not, happens from both internal and external sources.