Ten CISOs from across industries have predicted that the days are numbered for the password as the sole authentication method. They see enterprises moving to augment or supplant the traditional password with advanced technologies, such as biometrics.
Security Current, an information and collaboration company, talked with various CISOs to find that they agree that passwords are inherently flawed because they depend on users to create and remember complex sequences of letters, numbers and characters. However, they found that users tend to take the path of least resistance, selecting sequences that are easy to remember – and often easy to crack.
"Despite industry-wide efforts to reinforce this method of authentication and the number of methods available to encrypt and store passwords, the fact that remains is that creating good passwords – and safeguarding them – is as difficult as rocket science," said Nikk Gilbert, ConocoPhillips director of global information protection and assurance.
Passwords are as useful as floppy disks just before their extinction, but to date, we have yet to find a viable solution to replace them, he said.
Despite industry-wide efforts to reinforce this method of authentication and the number of methods available to encrypt and store passwords, it still remains difficult to create and safeguard good passwords. Until an innovative solution is created, we must focus on educating and motivating users to adopt solid security practices.
Aaron's, Inc. CISO Chris Bullock isn't as quick to dismiss the password, and suggests it is a necessary layer in a multi-faceted authentication schema.
"Just like the locks on our front doors can't stop a determined burglar or home invader 100% of the time, we continue to invest in door locks and alarms to protect our property," said Bullock. "When used correctly, passwords can still be an effective layer of defense, yet we should continue to innovate in the area of authentication."
Passwords are about as sexy as locking the front door of your house before you leave for work however, that being said, both are still a rudimentary and necessary instrument of security.
Will the password technology improve and simplify? Of course. Will door locks become better with enhanced doorframes and overall improved door architecture? Certainly.
Just as we look to improve securing our physical world, personal safety and valuables we must look to improve our cyber security, privacy and peace of mind. This doesn’t mean that we discount and eliminate current methods. It simply means we use them as part of the defense layer while we enhance and fortify them, he said.
When used correctly and fortified with other technology (two-factor, biometrics, etc.), passwords can still be an effective layer of defense, yet we should continue to innovate in the area of authentication.
Aetna CISO Jim Routh agrees that no single method of authentication by itself is sufficient, and although technologies like multi-factor authentication and smart cards have been available for years, they do not have the frictionless ease of use that is required for large-scale consumer adoption.
With each newly announced data breach, most enterprises have done little to eliminate passwords as the primary method of authenticating individuals.
Next generation technologies, capabilities that can truly eliminate the use of passwords, can and will reduce risk and improve the user experience. Adaptive cognitive and behavioral techniques combined with a risk engine represent the future of authentication for all industries, he said.
Real-time data points, such as finger swipe speed and pressure on a mobile device screen or typing cadence on a keyboard, can uniquely identify individuals without interruption. Observations of past interactions, such as geolocation or repeated transaction types, build a pattern of your typical behavior.
A robust authentication system has many layers of such inputs that all feed into a risk analysis engine informing applications on how much functionality to provide. Any single authentication attribute by itself is not sufficient to permit access. Applying risk analytics to all of the attributes in combination is the real solution to eliminating passwords.
According to Valley Health CISO Frank Bradshaw, the days of the password serving as a viable method of identification are behind us. Two-factor authentication adds a layer of validation based on something the user has or knows, but these also can be compromised easily.
With technology advancing at such a rapid pace, we must create a frictionless world where we can move about and authenticate without a password that anyone can steal and use, or a token that could be lost or stolen, he said.
Biometric technology is becoming the authentication tool of choice for many enterprises because the focus is on “something you are” verses something you have or know. Biometric credentials are frictionless. You don’t leave them at home, they can’t get lost and it takes a considerable amount of effort to replicate them, he said.
Technology has advanced so that the infrastructure to support multi-factor biometric scanning (you must present a matching fingerprint and retina scan for example) has become a reasonable expense and we will see adoption of this technology increase in the near future.
"Biometrics or multi-leveled, behavioral-based techniques will improve the future of authentication," said Molson Coors CISO Christine Vanderpool. "But managing appropriate levels of access is also critical to data protection because at the end of the day, the bad actors will continue to find ways to steal the information you are protecting if they want it badly enough."
Standard multi-use passwords, the ones we use on a daily basis for almost everything in our lives, are archaic and ineffective at achieving their goal of proving one’s identity.
Passwords are penetrable because they are derived from human nature and most humans take the path of least resistance. Selecting whatever is easiest to create and remember makes for weak, easy-to-crack passwords, which leaves information vulnerable, she said.
One time use passwords or two-factor authentication make passwords more effective; however, the more secure methods of authentication require something that cannot be duplicated, guessed, or stolen, etc.
Biometrics or multi-leveled, behavioral-based techniques will improve the future of authentication, but managing appropriate levels of access is also critical to data protection because at the end of the day, the bad actors will continue to find ways to steal the information you are protecting if they want it badly enough.
Jonathan Chow, CISO at Live Nation Entertainment, says the death of passwords as we know them today is probably over-stating it. However, what can’t be disputed is the steady decline in how effective the traditional password is for securing systems.
The problem is that we as an industry haven’t come up with anything better. For the past 15 years, “next-gen” authentication mechanisms have basically taken on some variant of a one-time code (via token, app or SMS) to supplement “something you know,” or biometrics, or something more obscure. These might be OK for tactical, specific use, but as a paradigm-changing fundamental way to access systems, it’s not there yet, he said.