Almost a year ago, the editors of Solutions Review’s Cybersecurity team asked if passwords and traditional access management were dead.
We wrote this article not to be alarmist. Instead, we asked whether passwords should still serve as part of modern enterprises’ identity and access management platforms. Evidence suggests they constitute a major vulnerability and attack vector.
81% of confirmed data breaches involve weak, default, or stolen passwords according to the Verizon Data Breach Investigation Report. Moreover, according to an interview with Rachael Stockton—Director of Identity and Access Technologies at LogMeIn—59% of users repeat their stolen passwords.
However, these grim findings assume enterprises continue to use single-factor authentication—a protocol becoming rapidly outdated in the wake of modern data breaches. But what, then, is the future of password security in 2019? How does the future of password security line up with the future of two-factor authentication (2FA) and multifactor authentication (MFA)?
Here are some of our findings:
Incorporating The Future of Password Security into MFA
If there is to be a future of password security, enterprises need to enforce stronger passwords among their users—employees, contractors, and other third parties alike. According to a recent report from SplashData, nearly 10% of users selected at least one of the 25 worst passwords for one of their accounts. This cannot continue.
Allowing users to utilize passwords in their authentication can prove a welcome way to improve IAM adoption across the network; studies find users do overwhelmingly prefer passwords over biometrics, perceiving the former to be more convenient.
However, if your enterprise plans to use passwords in its access management processes, you must mandate the strongest possible passwords. During the onboarding stage, users must be assigned, rather than allowed to create, a unique password which cannot resemble any other passwords the user currently owns. While this constitutes a huge undertaking for your IT security teams, it allows for a much more comprehensive security platform.
Enterprises, in short, must lead the future of password security rather than allowing their end-users to take full responsibility for a crucial authentication factor. If you are to implement multifactor authentication, you can’t risk one of the factors being rendered vulnerable because of employee negligence.
Is Two-Factor Authentication Still Enough?
Password security, by its nature, focuses on two-factor authentication, which combines something the user knows—the password—with something the user has such as a hard token or a biometric authentication factor.
Two-factor authentication serves as a stronger alternative to single-factor authentication. Yet the future of password security may not lie with two-factor authentication.
The more authentication factors incorporated into your identity and access management, the more secure your enterprise. Two-factor authentication is indeed stronger than a password-reliant single factor authentication process, but it can’t compare to the capabilities of multifactor authentication. When combined with factors like geofencing, biometrics, and hard tokens simultaneously, strong passwords can prove a surprisingly effective gatekeeper.
Increasing evidence indicates hard tokens and biometrics can be subverted or mimicked by hackers. The future of password security thus may instead place it as part of a much more intricate web of authentication factors.
Moreover, multifactor authentication works to support a granular access model rather than the all in one model of authentication supported by passwords—enter the password and get access or fail to and don’t. Granular access asks for more authentication factors as the sensitivity of the data increases. The future of password security may require switching to this model instead.
The Future of Password Security Training
Password security is as much about training as it is about technology.
Having the right identity and access management solution is essential to the future of password security in your enterprise. However, technology is only one part of the overall security equation. Another crucial component is employee adoption and understanding of password security best practices.
Only 50% of users change their passwords after a breach affects them, according to Stockton. Often users feel their passwords will not be stolen or that nothing they do can change whether hackers get their credentials. This must change if your enterprise aims to strengthen its authentication and access management.
Through comprehensive and regular training, your employees can embrace the password security best practices you need to secure your future in a dangerous digital market.