For years, passwords have been the dominant means by which organisations authenticate customer access to online services. Password-based authentication is easy and familiar for customers, and is initially inexpensive for organizations to deploy at scale. But, while password-based authentication may be appropriate in some instances, it is no longer suitable for the wide range of services where it is currently being used.
With the popularity of services such as social networks including Facebook and Twitter, as well as online shopping and banking, the sensitivity of digital information has increased dramatically. With more sensitivity comes increased risk. Compromised passwords can result in ﬁnancial loss to customers or signiﬁcant reputational and monetary damage to organisations, as demonstrated recently by the recent data breaches at Target, Michaels, etc.
At the same time, the strength of authentication based on a single password has steadily declined. New technologies and techniques have made passwords more vulnerable to a wide range of attacks, as evidenced by recent breaches which have exposed millions of customers’ personal information including names, encrypted passwords, and email and physical addresses. These limitations are not going away, and it is time for organisations to re-examine whether password-based authentication is providing the appropriate level of risk mitigation.
Passwords Are a Hacker’s Target of Choice
A study of 30 million passwords, exposed when a music website was hacked, found that almost half the passwords were names, dictionary words or sequential characters – all easily guessable and therefore vulnerable. A recent UK government report found that ‘a majority of internet users (57%) continue to say they use the same passwords for most if not all websites’.
Furthermore, technological developments such as increased processing power and advanced exploit kits allow brute force attacks to execute billions of password guesses per second, making it easier and faster to crack weak passwords. It is no surprise that a 2014 global survey found that weak passwords enabled the initial breach in 31% of the 691 investigations the report analysed.
Complex Passwords = Failure to Deliver
Complex passwords are harder to guess and take more time to crack. A 10-digit password that conforms to good-practice complexity rules takes nearly 1,000 times longer to crack than an eight-digit one. However, the implementation of complex passwords creates usability issues for customers, which negatively impacts the customer experience and increases costs for the organization.
Customers Can’t Cope
Customers are told to carefully select passwords that would be difficult for a hacker to guess, sufficiently complex and different for every service they use. At the same time, they are also told to remember their passwords, and not to write them down or store them on a computer. This is simply not realistic. The number of passwords customers have to manage is constantly climbing. The Norwegian study mentioned above found that on average customers had a minimum of 25 passwords. This number may be too low – a 2014 poll of our ISF Members found that several had over one hundred passwords.
It is important to determine whether your organisation is carrying an unacceptable risk from using password authentication for online services. If so, you should consider alternatives that will mitigate that risk, while being scalable and cost effective.
Define the Relevant Services and Assess the Risk of Each: Organisations should already have an inventory of the services and information they provide to their customers online. Look at previously conducted risk assessments, or if they’re out of date, conduct new ones.
Decide Which Authentication Factor(s) to Use for Which Services: A username and password may be a perfectly acceptable solution when it matches the risks associated with the service provided. Stronger authentication, from using multiple factors, is more likely to be required for online services that allow customers to perform high-value transactions, such as online trading or banking.
Choose and Identity Provider: Evaluate the identity provider’s capability to match your authentication requirements based on your risk. Also consider whether the identity provider may restrict the authentication solution(s) you are permitted to implement.
Select an Authentication Method: An organisation needs to select an authentication method that matches the authentication factor(s) and the identity provider selected. The chosen method needs to be subject to a risk assessment to ensure that it matches the requirements of the organisation.
Think Alternatively to Lower Your Risk
Organisations need to carefully balance the risks associated with their services against their customers’ experience of using them. Passwords are no longer appropriate as a single factor for authenticating customers to high-risk information or systems, and their unsuitability will only increase as attack technologies and techniques become more advanced.
New initiatives promise to make authentication easier, and organisations have an increasingly wider range of identity providers to choose from. Emerging technologies also show promise. Something you do and risk-based authentication could open the door for continuous authentication to happen in the background. The step-up approach allows organisations to provide additional security for sensitive information and applications, while minimising the impact to the customer experience.
Together, these developments allow organisations to improve security in a manner that is proportionate to their risk.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Upcoming IT Security Events
Feb 3rd, Feb 4th, Feb 6th 2015
Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective.
March 3rd, March 5th, March 9th 2015Read more: The Next Generation of Assessing Information Risk
Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt
3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today
Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)