Today is the first Thursday of May, which means it’s World Password Day. World Password Day is a timely opportunity to remind internet users to evaluate their individual password strengths and best practices. However, in reality, passwords are a significant vulnerability and even the strongest passwords can easily be stolen and compromised.
According to the 2019 Verizon Data Breach Investigations Report, as many as 80% of all breaches result from weak, default, or stolen passwords. Hackers use a variety of methods to get their hands on passwords, including ransomware and phishing attacks, installing spyware that records keystrokes (keylogging), infecting frequently visited sites (waterhole attacks), gaining access to a free or public Wi-Fi using a fake wireless access point (WAP), or even buying them on the dark web for as little as $7.
The recent cyber-attack at the San Francisco International Airport (SFO) further confirms these notions. Hackers installed harmful code on two SFO websites to steal Windows user credentials and gain access to SFO worker’s personal Windows devices.
So, as passwords are widely recognized as one of the weakest links in an organization’s security, is World Password Day really something we should be celebrating?
In light of the increased remote workforce due to COVID-19, it's more critical than ever to go beyond solely relying on passwords for security. Individuals and organizations must prioritize cybersecurity as a year-round endeavor that goes beyond simply reinforcing password best practices and turn to more robust authentication methods.
In this blog, we will discuss how passwords fundamentally put you and your organization at risk, and explore the more secure and usable options you can leverage to replace them entirely.
What are the Inherent Insecurities of Passwords?
Best practices recommend making your passwords as long as possible and to use a different password for each platform or account. As today's users typically juggle an average of 70-80 passwords, passwords are cumbersome to manage and often result in loss in productivity. In fact, recent research from the Ponemon Institute found that users spend over 12 minutes a week entering or resetting passwords, which adds up to nearly 11 hours per year.
The near impossibility of remembering each password creates a major failure point at the user level. Users often revert to the path of least resistance by selecting passwords that are easy to remember, replicating passwords across multiple accounts and applications, and sharing passwords with other employees. They also resort to shortcuts, such as writing passwords down or storing them in unencrypted spreadsheets, which are all major security risks.
Many organizations try to increase the security of passwords by mandating policies that call for frequently changing passwords. Unfortunately, this often leads to end-users creating workarounds that cripple security, such as choosing weak passwords, reusing passwords, or transforming them in ways that are highly predictable to hackers. For instance, Cowboysfan#1 becomes cOwboy$fan#12, then CoWboy$f@n#123, and so on. This makes it easy for hackers to utilize social engineering techniques to learn users’ passwords, then hack into systems.
In addition, enforcing strict and complex password policies forces employees to spend longer accessing the systems they need to do their jobs or to turn more frequently to the IT department for help, which wastes everyone’s time. Gartner estimates that 40 percent of all help desk calls are for password resets, and Forrester researchers have calculated the cost of a single password reset to be $70, so the time and soft cost savings can add up quickly.
Furthermore, many platforms and applications make the problem worse with a three-strike lock-out policy. If the user is locked out of their account, they are unable to be productive and thus fully dependent on the IT department or help desk before they are back up and running.
It’s also important to consider contract and seasonal employees who have become a necessity to many organizations whose workforce needs to contract and expand frequently. When members of the contingent workforce need access to sensitive systems and assets during their time with the company, poor password practices often creep up, like sharing passwords or using generic passwords such as “admin.”
How MFA Augments and Even Eliminates Passwords
Multi-Factor Authentication (MFA) offers many advantages over passwords and better secures your sensitive data and assets as it strikes a balance between usability and protection. MFA combines three authentication factors to limit risk and can act to augment passwords, which are a single authentication factor.
The three authentication factors include something you know, such as password or pin; something you have, like an RFID card or token; and something you are, such as biometric authentication, which includes facial recognition and fingerprint authentication. MFA has been proven to render attacks harmless even in the event that a user’s credentials are stolen or compromised because the attacker would still not have the additional authentication factors.
Many of today’s MFA solutions offer the flexibility to increase security without negatively affecting usability. The availability of MFA methods to best fit your unique situation are extensive and include: push authentication, Radio Frequency Identification (RFID), bluetooth authentication, FIDO U2F tokens, fingerprint biometrics, and one time passwords (OTPs) in the form of hard and soft tokens among others.
There are also a number of benefits to implementing MFA. For starters, MFA can make user authentication a much more fluid and seamless experience than using passwords. When used as a password replacement, such as through push authentication on a user’s phone with fingerprint authentication enabled, MFA does away with countless password resets, saving time and effort for your IT department.
With MFA, you can even take advantage of existing security investments in physical access by leveraging the same proximity card technology your employees already use to unlock and open doors to also unlock Windows devices. MFA also helps organizations comply with regulations that require or strongly recommend robust authentication, including SOX, CJIS, DFARS, HIPAA, HITECH, EPCS, Positive ID, and PCI-DSS.
Organizations can even adapt MFA authentication policies to include specific contextual factors that govern which MFA method is actually needed. These factors are based on criteria, such as the location the user is authenticating from, if the device used to authenticate is trusted, and time of day. Each of these variables can trigger a warning flag when outside the norm or usual patterns identified. For example, if a user authenticates from another country or if they try to login outside of business hours. The system could then present the user with additional factors for logging in to protect the environment.
Finally, MFA enables organizations to safeguard data and systems that are accessed via remote access solutions such as VPNs, portals, virtual desktop infrastructure, and remote desktops. As more and more staff work off-site due to COVID-19, it’s more crucial than ever to verify the identities of all remote users through MFA.
Advance Your Multi-Factor Authentication Capabilities Today
Passwords are deep-rooted to weaken your organization’s security and leave you vulnerable to hackers. As few as eight characters can separate your sensitive data from hackers who can take advantage of your data and compromised credentials for their own profitability on the black market.
As more information becomes available to the public on the internet, we have to do more to verify identity data. The reality is that if you’re going to continue using passwords to combat today’s threats, you need to combine them with flexible, multi-factor authentication.
The recommendation of MFA by best practice frameworks and standards, such as ISO 27001 and COBIT, have only further driven MFA adoption. Whether your organization is just looking into MFA or already has an MFA solution in place, there’s no better time than now to evaluate your organization’s current authentication strategy and determine the steps needed to increase your MFA maturity level.
To discover how you can advance your MFA capabilities and move away from passwords all together, check out our on-demand webinar: Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 2 - Multi-Factor Authentication. This webinar provides actionable insights into how to evaluate your organization’s current authentication maturity level and take your MFA strategy to the next level.
Access the webinar here.