World Password Day has been observed on the first Thursday of May since 2013. If Forrester Research analyst Andras Cser has his wish, today will be the last time.
“Passwords should be dead by now,” he said in an interview.
There’s a good reason why, points out Jo-Ann Smith, chief information security officer at Long View Systems, a Calgary-based solutions provider: In the last two years, 85 per cent of the known confirmed cyberattacks or breaches started with stolen credentials.
This is why a large number of organizations around the world are moving towards eliminating the internal use of passwords, thanks to technologies like multifactor authentication, fingerprint readers, facial recognition capabilities built into operating systems, and software and hardware tokens.
According to Forrester, 65 per cent of 1,129 security decision-makers surveyed last year said they are adopting passwordless solutions, with another 13 per cent saying they are planning to adopt. However, 19 per cent said they aren’t moving on it yet.
A separate survey last year suggested many organizations had their passwordless solutions running for less than three months. Many others are in trials or in proof-of-concept stages.
For many organizations, the move is a struggle — or, at least, a journey. Take Long View Systems, for example. “We’re looking to eliminate password-based attacks and reduce the threat landscape on our environment,” Smith said in an interview. “We internally haven’t fully implemented it for a variety of reasons — and many clients have the same challenges. Usually that’s related to legacy systems or a level of complexity for authentication is required for a host system that can’t use some of the modern technology.”
“At its core,” she added, “it’s what your user base will accept. There are users that don’t want to use or share their personal biometrics for authentication. So if you have a large user base like that you’re going to run into problems.”
“The second part is whether the [IT] foundational configuration can be used against administrative or privileged accounts.”
Passwordless authentication, she pointed out, is based on something you have (for example, a smartphone, software/hardware), something you are (a biometric like fingerprint or face) and something you know (usually a PIN number, an alphanumeric that is much shorter than a usual password or a complex finger swipe).
“The key thing to understand is, are those three components towards passwordless authentication going to be acceptable in your user and business landscape? If not, you’re going to run into problems and then you’ll have partial implementation and some people still with passwords.”
On this point, Cser notes, it may be easier for organizations to move to passwordless solutions among employees — where management can insist on passwordless technology being adopted — than with customers, who may move to another company if they don’t like the user experience.
“We’ve had partial success,” said Smith, “(but) we haven’t fully figured this out for ourselves. We’re on a bit of a journey” But. she said, the move to passwordless at Long View is tied to the movement to a zero-trust architecture.
“Passwordless authentication doesn’t really include the [application] authorization component,” she added. “It’s just the front part. And most organizations have so many legacy systems they can’t tie the biometric part to authentication unless they build a separate infrastructure and hand it off to a customized API. Most places won’t do that because it’s expensive to build and sustain.”
Passwords haven’t died because users are familiar with them, said Cser, who is vice-president and principal analyst for Forrester’s security and risk management practice — and password systems are inexpensive to implement. “Longer term,” though, “they’re expensive because of all the security problems.”
It would help, he said, if key institutions like service providers, e-commerce providers and banks mandate the use of passwordless solutions.
Most of the roadblocks to the adoption of passwordless solutions are related to users, he said. Often they need to have a smartphone capable of handling multifactor authentication codes either through apps or text messages. That’s an obstacle to those who can’t afford a mobile device. It doesn’t help that many countries — including Canada and the U.S. — don’t have a mandated multifactor authentication standard. Payment service providers in the European Economic Area have to follow the PSD2 standard for strong authentication of users, he pointed out, meaning consumers there are more familiar with MFA than in other countries.
His advice to CISOs on implementing passwordless authentication: “Do it yesterday. Pick an application for consumers that has a lot of traffic and just transition. For employees, turn on two-factor authentication, and then once you have that, use a QR code or something for one-time password delivery for biometric-based authentication. Then you can move away from passwords when you have that second or third-factor authenticator working.”
Make sure the transition doesn’t cause outages or customer friction, he added. And always involve the help desk, “because they are the people who solve the problems that passwordless implementation may cause. Phones will ring.”
Smith’s advice to CISOs: “Be patient. If you don’t pursue it and do the analysis against 100 per cent of your infrastructure to understand the gap where you could not implement passwordless authentication, you’re never going to get there.
“The approach I’m taking is the one I recommend to other people: Start to utilize components of it, become familiar and experienced with it and understand where it fits into your technology ecosystem and where it doesn’t. Because where it doesn’t fit in is with legacy systems. So as you replace those, your gap gets smaller and your ability to implement improves.”