Static passwords have had their heyday – a different approach is needed when it comes to improving user security.
Ever since I started keeping regular tabs on website data breaches in 2012, there has been a rising crescendo of screams, as one system administrator after another falls victim to a call from the media.
There’s nothing quite as disconcerting as when your phone starts ringing off the wall first thing in the morning with reporters wanting to talk to you about a data breach.
You’ve not even had time to finish your morning coffee and your brain is trying to desperately process the words that are coming through the receiver.
Then you open a web browser or social media site to see the news that you have apparently been breached. Having lived this experience once in my career I can safely say that this is nothing to wish upon an IT team. It was simply an awful experience.
So this begs the question: where do we go from here? Static passwords are the stock and trade for so many security folks, and it really has come to the point where we need to stop discussing the breaches and look for a way to fix the problem.
The first thing that comes to mind is the use of two-factor authentication, or 2FA. This is most commonly leveraged where a website would use your mobile number to send you a numeric code that you would enter in addition to your username and password.
The problem here is that there is the better than zero chance that your cell phone number will be shared with other parties or used for marketing purposes. Worse still, it can be muddled with via a man-in-the-middle attack to surreptitiously gain access to your account by an attacker.
But, all is not lost. 2FA is a version of multi-factor authentication, or MFA. When done properly it is very effective.
When a user is trying to login to an application, they should be using a 2FA approach that is based on contextual access policies. Having users utilize their mobile devices to manage these access requests helps reduce the risk of phishing related attacks that attempt to purloin passwords.
The more stringent approach would be where we approach accessing services with a ‘zero trust’ approach. This ensures that only devices and users that are deemed as being trusted can access protected applications online.
Static passwords have done their time in service of protecting digital assets. The reality that is dawning is that it is time to move away from this notional attempt at securing devices and websites for a better approach.
2FA and MFA are not simply an added layer for an enterprise. They are a way to reduce the footprint for an organization by foregoing the venerable DMZ and when the zero trust approach is done well you can even forego the VPN.
The hardest part of rolling out 2FA/MFA in your enterprise is the need to social it with the user base that will need to transition from the use of static passwords to a modern way of handling authentication.
The future is here, and we need to do a better job of rolling the body of static passwords into the hole in the desert so that we can move to push notifications and universal second factor and beyond.