Passwords: Ending an era…

Passwords: Ending an era…

As I think back to “the old days” in the authentication world, we’ve come a long way; or have we?  In the early 90’s I ran a BBS, who knows what that is?  I required users to connect with a username and password of their choice.  Sounds like what we do today.  While login names and passwords have become increasingly complex the process has not changed.  Tell me, who you are and I will let you in!  This is a great strategy, actually it’s not.  There are millions if not billions of login credentials stolen annually and the majority of data breaches involve stolen credentials.  NY Times reports in August 2014 “Russian Hackers Amass Over a Billion Internet Passwords” and InformationWeek DarkReading reports in April 2014 “Stolen Passwords Used In Most Data Breaches”.  In the technology world we live in today, a username and password by itself is not enough, I repeat, a username and password by itself is not enough.  Have you been or known someone who’s been hacked?  We all do.  Simple steps can reduce the chances drastically for both businesses and personally.

  1. Use multi-factor authentication

    1. What is multi-factor authentication?  Wikipedia says; Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).

    2. Many sites already offer multi-factor authentication.  Turn this feature on.  If you are a business owner add this to access your business resources.

      1. Banks – usually required

      2. Facebook – optional

      3. Google – optional

      4. Amazon – optional

    3. Reduce the complexity and time between password changes.

      1. Change the password requirements to be less complex and less characters required after adding addition factor to the authentication process.

      2. Reduce the frequency between password changes.  If the policy is currently 90 days perhaps 180 days is now acceptable after adding addition factor to the authentication process.

  2. Close access to resources not secured by multi-factor authentication

    1. Shutdown access from outside your network to resources inside your network which are not secured with multi-factor authentication.

    2. Provide a way to access those resources once inside a resource (virtual desktop, published application, etc) within the boundaries of your network.

That’s great Sean, but how do I accomplish the recommendations you have made?  To start with login to each of the sites you use and see if they offer multi-factor authentication.  Usually this will be something like; send me an email or text before allowing access.  If you are a business look at products like Duo, AuthAnvil, Azure, and others to add this functionally to your infrastructure.  The main idea is to determine what needs to be secured, then you can determine the best multi-factor product to secure it.

In conclusion, while all of these technologies have been in existence for many years the viability is now such all sizes of business should adopt.  The deployment of multi-factor products has simplified and with smartphones end user acceptance and adoption is very high.