Password creation seldom benefits from humanity's creative powers.
Time and time again, users set easy, obvious passwords— no matter how much the IT department preaches and pleads. Just look at the the infamous 2015 Ashley Madison hack. The top 100 most common passwords included "password," "DEFAULT," and "abc123." More than 200,000 users out there riffed on strings of numbers, 1-9, and thought it was a good idea.
And even when passwords are long, random, and riddled with numbers, letters, and symbols, they can still be cracked.
In the business world, where intrusions from hackers are just about expected, the stakes are costly and unpleasant, not only in terms of money but reputation. IBM research found that the average cost of a data breach in 2015 was $3.8 million.
"Organizations are now measured on how quickly they can detect a breach, and how quickly they can remediate and remove the attacker from their environment," said Keith Graham, CTO of identity and access firm SecureAuth.
Passwords aren't a high enough wall between cybercriminals and precious data, and certainly not a deep enough layer of protection.
There are a few schools of thought out there about the future of passwords. Some encourage passwords as one security layer of several, some would get rid of them altogether. The consensus from a recent roundup of 10 prominent chief information security officers speaking on the topic, from Security Current, was just that: Passwords must be augmented or supplanted whether through biometrics, multi-factor authentication, or other techniques.
Or, if you ask Graham, adaptive authentication.
"Adaptive authentication involves evaluating risk around the login process before the user even authenticates so that the system only steps up, or outright denies, the authentication when it deems a logon as a risk. Hence, it adapts to a user's profile based on the threat it perceives that person poses," he said.
TechRepublic spoke with Graham via email about the inherent weakness of passwords, adaptive authentication, and effective risk profiles.
TechRepublic: The cybersecurity reports are bleak and the consensus from your recent survey is that passwords don't work. What are the viable alternatives to legacy password approaches?
Keith Graham: As anyone who has paid attention to the last few years of high profile breaches knows, more than a few of those attacks exploited compromised passwords—where an attacker has used Malware, or some other zero day exploit to gain a foothold in order to steal the passwords in the first place. While passwords don't always lead to breaches, they don't always prevent them, either. In today's world, that's just not good enough.
Outside of the very dated, very unwise passwords only approach, adaptive and multi-factor authentication should be considered mandatory measures.
Multi-factor authentication is an industry way of describing additional methods used to validate someone's identity beyond just the standard username and password route. These methods may include sending additional passcodes via text messages, email, or by using hardware tokens that generate time-based one-time passwords.
TechRepublic: How does adaptive authentication work?
Keith Graham: Adaptive authentication takes a group of variables and develops a risk score based on rules set by the security team. Each request is evaluated and put through a series of checks until they are either granted or denied access. Techniques for risk scoring may include:
- Device recognition: Has this device been used before? And if not, force a device registration process.
- IP reputation: Is the IP address requesting access associated with a known botnet, tor network, or nation state?
- Identity Store lookup: What level of authorization is the account normally allowed? Is this an admin account?
- Geo-location & Geo-velocity: Is the user logging in from a known previous location such as an office network, and if not, could the user have traveled to the new location at a reasonable speed?
A hypothetical use case might be: The owner of an internet banking application adds the capability to spot unauthorized access to a customer's online account by recognizing the behavioral biometric interactions of the user while they are typing or moving the mouse. Upon the discovery of any irregular behavior, the internet banking application will prompt the user for a second factor of authentication. If the user is unable to provide the second factor, they will be prevented from accessing the account any further.
TechRepublic: What are the security benefits of using adaptive authentication?
Keith Graham: Both the security benefits and business benefits of using adaptive authentication are considerable. Let's start with the latter. Adaptive authentication can be tailored to each organization's needs, the employees' tolerance, and to regulatory requirements. These are all pretty important variables to consider, right? Ultimately, one of the end goals with adaptive authentication is to foster a user-friendly and convenient environment, not one that forces an employee to jump through hoops.
When it comes to security, adaptive authentication is just as powerful as multi-factor authentication—with the added benefit that it allows low risk users to easily log on to their corporate applications in a matter of seconds without even knowing they are undergoing a form of risk analysis. On the other hand, if an attacker gets a hold of compromised credentials, it gives the security team a chance at stopping or slowing down the attacker because they will have a higher risk score, which will trigger a second factor check.
TechRepublic: What's the importance of having an effective risk profile in the current threat landscape?
Keith Graham: Understanding a user's risk profile can help companies save time, money and headache in the long run. While traditionally organizations have focused on keeping attackers out of the network and protecting the perimeter, organizations are slowly learning that it's impossible to prevent every attack. Nowadays, most companies have acknowledged bad actors will probably be in their network eventually, which shifts the focus to stopping them from stealing proprietary data. This is where risk profile comes in. It helps indicate to companies whether a user poses a threat, and to what degree of threat they pose.
- Five handy tools for dealing with passwords (TechRepublic)
- Is it time to replace passwords with passthoughts? (TechRepublic)
- The 15 most frightening data breaches (TechRepublic)
- 10 legal aspects of data breaches lawyers urge you to abide (TechRepublic)
Brian will do client work for AtTask.
Brian Taylor is a contributing writer for TechRepublic. He covers the tech trends, solutions, risks, and research that IT leaders need to know about, from startups to the enterprise. Technology is creating a new world, and he loves to report on it.