It’s time to ditch the password – and start to appreciate the evolving needs of enterprises
Today, May 3, is World Password Day. It’s a ‘celebration’ to promote better password habits. We’ve long viewed the password as a critical gatekeeper to our digital identities, safeguarding our online shopping, banking, social media, sensitive data, and business communications.
But has the password had its day? Best practise recommends the use of complex passwords that include upper and lower case letters, symbols and numbers put together randomly. The password should be at a minimum 8 characters long, with many organisations recommending even more characters.
The problem, as we all know, is that increasing password complexity reduces usability and only incents the user to write it on a Post-It to remember it. Security without usability is no security at all. Putting five locks on my front door doesn’t help me if I keep losing my house key.
The myth of password security
Malicious hackers certainly aren’t slouches. Today they find it relatively easy to build extremely powerful and fast password cracking tools that run through tens of millions of possible password combinations in a second.
This would be less of a problem if the many service providers that hold sensitive data could protect this information. But this is clearly not the case. Time and again we see serious security lapses that expose reams of sensitive data.
As we move into the mobile world, the problem of password security is even trickier. According to online portal Statista, almost three billion people globally will be using smartphones by 2020. A significant portion will be at the enterprise level. In the business world the smartphone’s compelling combination of functionality, convenience and connectivity makes it an almost perfect platform for business productivity, hence the widespread adoption.
But both practicality and security are problematic. Mobile devices don’t have full-sized keyboards so for an average enterprise user it is frustrating to enter long and complex passwords. If this isn’t enough, these passwords typically have to be entered many times a day.
Biometrics are paving the way to the future
There are several ways to address the issue of password complexity and insecurity. One is biometric authentication. It stops hackers, safeguards devices, protects sensitive data and is incredibly easy to use.
Biometrics, which includes fingerprint, face, iris, and voice, is a highly accurate and reliable method of verifying identity. Following Apple’s introduction of fingerprint biometric authentication for iPhones in 2013, I have long expected biometrics to become the primary mechanism for authentication to mobile devices and applications.
It makes business sense to adopt biometrics in the enterprise to replace the increasingly impractical password. Many businesses are already beginning to realise how they can benefit from biometric technologies by reducing costs, improving security, and enhancing operations.
Layered security is always better security
Before the advent of mobile biometrics, the key trade-off for authentication was that stronger passwords resulted in user frustration. In financial services for example, many organisations introduced weaker passwords than they would ideally like just to encourage device adoption. But the weaker password decreased encryption strength and made it easier to succumb to brute force attacks.
With fingerprint authentication, IT can adopt stronger passwords again if they want to. For instance, multiple failed attempts at fingerprint authentication suggest a device has been stolen or lost. In this case IT can set a strong password for access after a predetermined number of failed fingerprint access attempts. This layered security model is good for the user and the company.
At MobileIron, if the finger/thumb print access fails a certain number of times the user is presented with a password screen set by MobileIron password policy.
A further compelling argument for biometric adoption is that it meets the three essential requirements for successful authentication. It works all the time, it’s exceptionally difficult to spoof, and is extremely easy to use. Let’s not forget the mobile era is all about the end user, and if employees can’t easily access their devices then productivity and morale plummets.
Implementing a new trust model
The goal of user authentication is to establish user trust. Should this person have access to this data? Moving beyond the password to biometrics makes user trust more reliable and easier.
But there is more … you also need to make sure you can trust the app and the device the individual is using. And if user, device, and app all pass the trust litmus test, you want security to be absolutely invisible to the individual.
This is why single sign-on (SSO) is so important. Once trust is established the individual should not have to use either passwords or biometrics to get access to apps and data.
When a device is registered and trust established, an identity certificate is used to generate for authentication and to generate a single sign-on token for the app or cloud service.
If a user attempts to access cloud services via a non-compliant device or insecure app they are presented with a remediation screen that walks them through the steps required to properly secure their devices and apps. Helpdesk intervention is not required.
IT gets the security it needs and employees get simple and secure access.
This is model for modern security: establish trust and then get out of the way. The best security is always simple security. This is why biometrics and single sign-on are so critical for the post-password world.
- » Building trust in a ‘zero trust’ environment: A more dynamic security model
- » Signs of the 'always-on' culture: Poorly performing mobile devices put employees' health at risk
- » Why the IoT market is predicted to double by 2021 - reaching $520 billion
- » Transitioning your data centre to the cloud: A CIO's guide
- » A guide for contemporary IT teams to manage their IT inventory