Expert Article By: Nicolai Solling, Director of Technology Services at help AG
Passwords have long been used by enterprises to permit secure access to vital applications, data, systems and networks. This tired-and-tested form of authentication is still widely deployed as the first line of defense, protecting sensitive corporate data and applications from external threats. However, in today’s world, as the dependence on information technology grows exponentially, many corporations are now struggling to manage and store passwords securely for their employees.
One of the big issues with password management is that there are simply too many of them. Research has shown that at any given point of time, a single employee will be required to maintain an average of 15 different passwords within both the private and corporate spheres. The challenge of remembering this sheer volume of login credentials is exacerbated by rigid password policies which specify guidelines such as use of lower and upper case characters, special characters and alphanumeric combinations. What this inadvertently promotes then is the reuse passwords across multiple applications including social media websites which have historically proven to be woefully insecure.
Furthermore, complex password policies often stipulate regular update which can make it difficult for users to remember their passwords. Resetting a forgotten password would require a call to the IT helpdesk. Statistics show that 35 to 50 percent of help desk calls are related to passwords with a cost estimated between USD25 to USD50 per call. And this does not even account for the loss of productivity in the time that it takes to reset the password which itself is a massive overhead.
Organizations have tried to remedy these problems though the use of Single Sign-On (SSO) solutions. By employing complex application integration, enterprises grant users access to all the systems with a single username/password combination. But this is limited by the complexity of the underlying systems and compatibility issues.
More importantly, given that cyber criminals now have a number of sophisticated means to infiltrate systems and steal credentials, the Single Sign-On (SSO) is no longer a viable authentication solution. Organizations need to make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication.
Two Factor Authentication
This is seen as the next logical step in user authentication and is far more secure than password based authentication. The basic principle followed by such systems is to grant access based on ‘something you know’ such as a username/password combination and ‘something you have’.
The latter part of this requirement could be a one time password (OTP) provided in a text message or by a secure token systems. What IT managers need to be aware of however, is that the various forms of two-factor authentication are vastly different in their implementations and therefore will differ in their performance. By understanding the vulnerabilities of each of these systems, decision makers can select the solution which best protects the organization.
The Pitfalls of Text Messaging Passwords
Providing an OTP via a text message may seem secure but organizations need to consider that SMS is not an inherently secure channel. As SMS does not employ any form or encryption, it is very easy for hackers to use low cost hardware to intercept these messages, extract the information from them and then gain access to the network by using this.
The cost associated with SMS services may mean organizations limit the authentication challenges. Furthermore SMS based token solutions are troublesome as with certain mobile networks, SMS is a low priority service and therefore may sometimes only arrive with considerable latency, thereby making authentication impossible.
Token Based Authentication
A highly popular form of two-factor authentication, which has already seen usage by enterprises across the globe, has been the use of a dynamically generated token. This is by far the best form of authentication but CIOs still need pay close attention to how the tokens are distributed and managed. Currently, most well established vendors provide hardware devices which generated tokens based on pre-loaded seat-keys.
The problem with these systems however is that these seat-keys are hardcoded into the devices at the time of manufacture and this information is managed by a third party provider. As with any critical business application, entrusting such information to a outside source should immediately raise security concerns. This became all but too apparent when hackers broken into the servers of security firm RSA and stolen information linked to the company’s SecurID tokens, which are widely used to grant secure access to corporate networks and online bank accounts.
Furthermore, the token device itself entails a substantial overhead and as the number of users increases, the cost of such an implementation skyrockets as well. Loss of the device could translate to loss of productivity as there is inevitably a time duration associated with procuring a new hardware device.
Advancements in Two-factor Authentication
The good news however is that there are now players in the market who offer two-factor authentication solutions which overcome both these limitations. These solutions entrust the generation of seat-keys to the organization itself thereby removing the dependence on a third party provider. Furthermore, software tokens can be generated on the employees mobile device and though desktop applications thereby bringing down implementation costs as well as easing distribution efforts.
Organizations need to understand that investment for a secure architecture at the time of initial deployment can mean far better cost-efficiency than working security into the design at a later point. Username/password as the sole means for authentication is no longer a feasible solution and smart business that avail the latest technologies will see long term benefits.