10 CISOs Say Passwords are Failing and Must be Augmented or Supplanted
Ten CISOs from across industries weigh in on the effectiveness of passwords, with most predicting that the days are numbered for the password as the sole authentication method. They see enterprises moving to augment or supplant the traditional password with advanced technologies, such as biometrics.
Read their insights here:
Valley Health CISO
The days of the password serving as a viable method of identification are behind us. Two-factor authentication adds a layer of validation based on something the user has or knows, but these also can be compromised easily.
With technology advancing at such a rapid pace, we must create a frictionless world where we can move about and authenticate without a password that anyone can steal and use, or a token that could be lost or stolen.
Biometric technology is becoming the authentication tool of choice for many enterprises because the focus is on “something you are” verses something you have or know. Biometric credentials are frictionless. You don’t leave them at home, they can’t get lost and it takes a considerable amount of effort to replicate them.
Technology has advanced so that the infrastructure to support multi-factor biometric scanning (you must present a matching fingerprint and retina scan for example) has become a reasonable expense and we will see adoption of this technology increase in the near future.
Aaron’s, Inc. CISO
Passwords are about as sexy as locking the front door of your house before you leave for work however, that being said, both are still a rudimentary and necessary instrument of security.
Just like the locks on our front doors can’t stop a determined burglar or home invader 100% of the time, we continue to invest in door locks and alarms to protect our property. Quite similarly, just because thousands of doors continue to be kicked in even when the lock is activated, we don’t decide to stop locking our doors. The lock is simply part of a layered defense model necessary to ensure our safety and secure things of value. Passwords are exactly the same.
Will the password technology improve and simplify? Of course. Will door locks become better with enhanced doorframes and overall improved door architecture? Certainly.
Just as we look to improve securing our physical world, personal safety and valuables we must look to improve our cyber security, privacy and peace of mind. This doesn’t mean that we discount and eliminate current methods. It simply means we use them as part of the defense layer while we enhance and fortify them.
When used correctly and fortified with other technology (two-factor, bio-metrics, etc.), passwords can still be an effective layer of defense, yet we should continue to innovate in the area of authentication.
Live Nation Entertainment CISO
The death of passwords as we know them today is probably over-stating it – for better or worse, I think we’ll be using passwords for a long time to come. However, what can’t be disputed is the steady decline in how effective the traditional password is for securing systems.
The problem is that we as an industry haven’t come up with anything better. For the past 15 years, “next-gen” authentication mechanisms have basically taken on some variant of a one-time code (via token, app or SMS) to supplement “something you know,” or biometrics, or something more obscure. These might be ok for tactical, specific use, but as a paradigm-changing fundamental way to access systems, it’s not there yet.
Fairfax County CISO
As much as C-level executives would like to eliminate the use of passwords altogether, the reality is this is not happening. In an effort to improve the technology, several industry giants propose having one-time passwords “sent” to a device or devices the user chooses.
However, should the app timeout or the user log out, the process must be repeated, causing a cumbersome user experience. Although this option is better than not having a password at all, it still leaves an approved device at risk for “a man in the middle attack” if the device itself is stolen or compromised.
Yes, this sounds like the Old Fashioned Security Chief always citing the worst-case scenario, always-crying wolf, but we are the wall that every C-suite needs to ensure that all possible solutions, scenarios and risks are considered. To maintain the security of passwords, a two-factor authentication solution should also be deployed with any and all access, IDM control solutions.
I am not against this “new” approach, but I believe that thorough research and pilot programs to test such solutions should be engaged prior to a full rip and replace. I am and always will be a firm believer that credentials and passwords are the keys to our kingdoms. Securing those keys is everyone’s responsibility.
ConocoPhillips Director of Global Information Protection and Assurance
Passwords are as useful as floppy disks just before their extinction, but to date, we have yet to find a viable solution to replace them.
Despite industry-wide efforts to reinforce this method of authentication and the number of methods available to encrypt and store passwords, the fact that remains is that creating good passwords – and safeguarding them – is as difficult as rocket science.
It is imperative that security practitioners continue to innovate and work toward developing new methods of authentication. However, until an innovative solution is created, we must focus on educating and motivating users to adopt solid security practices.
John J. Masserini
MIAX Options CSO
Believe it or not, security people hate passwords more than the users do. Passwords are an antiquated technology, but yet are the foundation of every security program in existence.
No matter how much ‘new cool tech’ security executives incorporate into their programs, the reality is, we still rely on a 1960’s technology to provide the most fundamental control in the enterprise.
As an industry, we need to develop a viable solution for user credentials that doesn't involve lengthy, complex character strings that have to be remembered by the user and get rid of passwords once and for all.
With the continued adoption of Radio-frequency Identification (RFID) and Near Field Communications (NFC), along with the implementation of the fingerprint readers in portable consumer devices, we now have a way to have a fairly high level of confidence that the person logging in is who they say they are.
This ‘something you have and something you are’ model, combined with a solid Adaptive Authentication solution, may finally be the demise of the much-maligned password.
Zuora VP and CSO
Weak passwords top the list of the most common reasons for data breaches. It’s obvious that service providers cannot just rely on consumers to select strong passwords, but many continue to do so.
Service providers can help themselves by supporting stronger authentication, such as multi-factor or biometric authentication. The identification and authentication system must be risk-based, i.e. using consumer activity patterns to determine abnormal behavior and potential account compromise.
Some factors that contribute towards risk-based authentication are:
- Device used by the consumer: If the login happens from a different device than the ones the consumer usually uses, the risk of compromise is marked higher.
- Geo-location: If the login is attempted from a different time zone or geo-location, the risk level should increase.
- Usage Patterns: Risk can be determined by sudden abnormal activity such as spikes in usage when compared against a baseline of the consumer’s regular usage pattern.
A good security system will monitor these simple factors and be able to trigger alerts at both the business and consumer ends.
With each newly announced data breach, most enterprises have done little to eliminate passwords as the primary method of authenticating individuals.
Technologies like multi-factor authentication and smart cards have been available for years, but do not have the frictionless ease of use that is required for large-scale consumer adoption. They rely on binary controls that are ineffective if the credentials are harvested by criminals.
Next generation technologies, capabilities that can truly eliminate the use of passwords, can and will reduce risk and improve the user experience. Adaptive cognitive and behavioral techniques combined with a risk engine represent the future of authentication for all industries.
Real-time data points, such as finger swipe speed and pressure on a mobile device screen or typing cadence on a keyboard, can uniquely identify individuals without interruption. Observations of past interactions, such as geolocation or repeated transaction types, build a pattern of your typical behavior.
A robust authentication system has many layers of such inputs that all feed into a risk analysis engine informing applications on how much functionality to provide. Any single authentication attribute by itself is not sufficient to permit access. Applying risk analytics to all of the attributes in combination is the real solution to eliminating passwords.
Barnabas Health CISO
Passwords are a growing target of hackers who are continually advancing their techniques, from phishing onwards, to crack them. It would be negligent to rely solely on passwords, which often is the case, as the only authentication source.
A vast range of security controls must be instituted. This includes two-factor authentication, which, at a minimum, is essential for remote access and privileged account security. Organizations should establish holistic and measurable programs that can scale with their security and privacy needs.
Molson Coors CISO
Standard multi-use passwords, the ones we use on a daily basis for almost everything in our lives, are archaic and ineffective at achieving their goal of proving one’s identity.
Passwords are penetrable because they are derived from human nature and most humans take the path of least resistance. Selecting whatever is easiest to create and remember makes for weak, easy-to-crack passwords, which leaves information vulnerable.
One time use passwords or two-factor authentication make passwords more effective; however, the more secure methods of authentication require something that cannot be duplicated, guessed, or stolen, etc.
Biometrics or multi-leveled, behavioral-based techniques will improve the future of authentication, but managing appropriate levels of access is also critical to data protection because at the end of the day, the bad actors will continue to find ways to steal the information you are protecting if they want it badly enough.
Information and the credentials needed to access information are valuable and where there is a will there is always a way.