Password Reset

Password Reset: Exploring Bold Alternatives to Access Business Assets

10/15/2021
Password Reset
Remote working increases vulnerability to breaches – step one to regain control is to reduce the chances of human error with innovative security

Since its inception, the Internet has brokered trillions of dollars in information, connections, and trade. As COVID-19 pushed the world into lockdown, businesses scrambled a response by transitioning to digital-first operations and prioritizing productivity. The rapid, imposed adoption of remote working left the field open for malicious actors, resulting in a calamitous rise in cybercrime, ransomware attacks, and data theft.

Of the four pillars of The Art of Smart, innovation holds the key to addressing cyber vulnerability, which has quickly emerged as one of the largest threats to businesses in 2021. The World Economic Forum (WEF) Global Risks Report 2020 forecasts that cybercrime will cost the world US$10.5 trillion annually by 2025. Follow the trail that led to a security breach, and more often than not, poor password hygiene shows up as the cause. The WEF estimates that 80 percent of data hacks happened because of weak or compromised credentials.

As the global digital transformation of private and public services continues en masse, businesses need accurate, secure authentication for their employees. The continued reliance on passwords as the primary source of identity and access management (IAM) creates fragility in the system. Larry Ponemon, the Chairman and Founder of the Ponemon Institute, a leading cybersecurity research organization, says: “A large percentage of attacks could be mitigated completely by alternative measures such as biometrics and educating employees about these new technologies.”

 Technology offers one part of the solution. The other is design thinking – making security integral to the employee experience.

IAM is rapidly evolving from something we know, such as passwords and PINs, to something we have, such as system key fobs. Also evolving are security methods using biometrics such as thumbprints, and facial and voice recognition. With each evolution, the solution providers reduce friction, i.e., the number of steps employees need to take, when managing access. 

Empowering employees with frictionless authentication

Such a tacked-on approach increases friction for employees trying to access company resources. Complexity in IAM only increases blindspots and vulnerabilities and causes employees to sidestep good security practices.

A study compiled by identity management and authentication expert Steve Brasen, Managing Research Director at Enterprise Management Associates (EMA), a US-based IT consulting firm, shows that policy violations and breach events were reduced when organizations used lower-friction IAM solutions.

He observes: “Though it sounds counterintuitive, the reasoning goes back to why passwords fail: when employees can access their work with fewer steps, they are more likely to champion cybersecurity and follow policy.”

Among the various methods of authentication, passwords and PINs continue to be the most utilized. Over the last year, as businesses combat increasingly complex attacks, their use as a single source for authentication has been in sharp decline.

For example, since Google introduced security keys internally, the company claims there haven’t been any successful phishing attacks against their employees. Aetna, an American insurer, saw a 98.4 percent decrease in account-takeover frauds by moving to biometric-based authentication. EMA reports that biometrics and hardware tokens are seen as the most secure methods. They also provided the biggest boost to productivity.

Intelligent authentication is contextual

In moving away from a password-based approach, businesses must focus on contextual and continuous identity management. “There is only one me, but I can be in different places,” says Adrian Asher, Chief Information Security Officer of Checkout.com, a global payment platform.

Adaptive measures can layer security based on the level of risk posed by the user, where they are, the software running in the background, and the data they are trying to access. For example, an employee marking their time off does not require the same security level as someone trying to access company financials or user data. Likewise, contextual systems understand that the accounts team accessing company financials is less risky than someone in customer service or HR. Similarly, if the Chief Financial Officer is accessing data from their office computer, several layers of security are unnecessary. However, the alarm may be raised if they look to access the sensitive data from a public WiFi network at the local coffee shop.

 “Companies can begin by understanding what their most important assets are and choose verification methods accordingly,” Brasen suggests. Through contextual authentication, organizations can prioritize data security of assets at a granular level rather than the one-size-fits-all approach the industry has relied on so far.

“Most authentication is geared around session establishment,” Asher adds. “It needs to be ongoing.” Here, innovators are experimenting with behavioral analytics for authentication by continually assessing user patterns in the background. These include how a user holds their device, how quickly they typically type, the finger pressure while swiping, scrolling patterns and even gait.

Behavioral IAM has a distinct advantage over the currently available methods. Since they are passive and frictionless, they do not impede the users’ time or require technical know-how. Users may never have to see a login page, as digital trust is established behind the scenes. In the event of subtle anomalies and deviations, the system can invoke an additional layer, allowing for unintrusive, always-on verification. The opportunity for such behavioral authentication is only just kicking off. Among recent examples is the Italian wearables startup Deed. Their wristband provides contactless payment using continuous biometric verification through gesture recognition.

Studying contextual awareness in IAM, Brasen found that organizations using behavioral biometric solutions reported far fewer breach events and incidents of unauthorized users accessing business applications decreased by 74 percent.

However, at this time, biometrics and behavioral authentication are far from widespread in application. Their adoption has been hampered by upfront cost implications and privacy concerns. In the event of a data breach, a password is easily changed. On the other hand, stolen authentication such as a fingerprint or eye scan is much harder to fix. As businesses consider the move away from passwords these concerns will need addressing. Technology alone is never going to solve ever-evolving threats in a digital-first world. Multi-factor authentication with passphrases and soft tokens are going to be the reality for a while. For many businesses that would be a significant improvement over the current situation.

As businesses shift into a new era of work, however, a fundamental redesign of cybersecurity is needed. Such a culture shift must emphasize technology that works intuitively with people. By innovating solutions around sound design principles, continuous and contextual passwordless authentication is the first step to making the Internet safer.

Graph

Source: Passwordless Authentication: Bridging the Gap Between High-Security and Low-Friction Identity Management, An Enterprise Management Associates Research Report


Myth-busting passwordless authentication

Myth 1: Hard to implement
The standardization offered by the FIDO2 Project – a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) – makes it easy for identity management systems to implement passwordless authentication, such as biometrics, across devices.
Myth 2: Requires hardware upgrades
Most smartphones, laptops, and tablets today have the specifications needed to handle passwordless authentication tools. 
Myth 3: Comes at a cost
People focus on the deployment cost of passwordless authentication instead of the total cost of management, maintenance cost, and business costs of system downtime. When viewed in aggregate, passwordless authentication is not prohibitively expensive. However, not implementing it is. 
Myth 4: Frictionless authentication is less safe
When users can access their data efficiently, they are more likely to comply with security protocols instead of finding ways around them. This reduces overall cybersecurity risk.

Passwords: A Victim Of Bad Design?

Where did passwords go wrong? They forgot about humans.

Often repeated by IT professionals is the phrase: “Employees are the first line of defense against cyber threats.” Yet, password-based solutions fly in the face of how the human mind functions. IT mandates require a long string of uppercase and lowercase letters, numbers, and special characters; passwords to be changed quarterly; and be unique for every account. On average, office workers need to keep track of up to 40 username and password combinations. “Human brains were not built to retain that level of information,” says Steve Brasen, Managing Research Director at Enterprise Management Associates (EMA), a US-based IT consulting firm. Passwords are his nemesis.

It comes as little shock that employees circumvent these dictates. They use easily-identifiable passwords. When required to change passwords, they rotate through a series of common ones. The password management solution NordPass found that a fifth of passwords used by employees of the Fortune 500 companies were a variation of the company name. For example, the huge SolarWinds breach in 2020 happened because a critical password was "solarwinds123" – created by an intern, according to executives at the American software company. More worryingly, even today, “password” remains a favorite across all the industries NordPass studied.

Passwords have become low-hanging fruit for hackers. Brute force attacks using password generators and credential stuffing with IDs bought off the dark web have become commonplace. Brasen says: “You can’t blame people for what is essentially bad design.”

There is broad consensus among security professionals that passwordless authentication is a more effective method of supporting users. Society’s insistence on password-based security is more a cognitive and habitual bias. “Passwords are so prevalent that people view websites without passwords as being less secure,” says Larry Ponemon, the Chairman and Founder of the Ponemon Institute, a leading cybersecurity research organization.

The Ponemon Institute’s Cost of a Data Breach 2020 report projects an average total cost of US$3.86 million to businesses. In addition to revenue loss from system downtime and reputational damage, businesses face expenditure from detection, investigation, crisis management, communication with affected customers, legal, and regulatory fines. Beyond creating a security vulnerability, a Forrester report from 2018 calculated that large organizations spend close to US$1 million per annum on password management and related infrastructure and support.

It could be argued: that’s a lot of money to spend on a decrepit technology long past its sell-by date.

Adrian Asher
Most authentication is geared around session establishment – but it needs to be ongoing.
Adrian Asher
Adrian Asher
Chief Information Security Officer
Checkout.com

Viewpoints from Crowe

Mike Del Giudice, Consulting Principal, Crowe LLP
Mike Del GiudiceIn recent years the understanding of what the most critical criteria of what makes a password most secure has transitioned from complexity of the password to the length of the password, or pass phrases. However, weak passwords continue to be a target of attackers and common vulnerability in attacks.

The criticality of password security, specifically the use of multi-factor authentication (MFA), has become more of a focus as organizations have supported a more robust remote working capability during the pandemic. Additionally, insurance companies have started demanding organizations have MFA as a requirement of cybersecurity coverage. Most organizations focus on MFA though smartphone notifications or one-time passcodes (OTP).

Adoption of security controls is always more successful when the impact on users is minimized. Lower-friction authentication solutions help achieve this goal of increasing security without increasing complexity. Innovations in authentication security will continue to push the boundaries of secure authentication, further reducing friction without sacrificing security.

In addition, these innovations will help with the success of zero-trust infrastructures. Organizations leveraging behavioral biometrics report fewer breaches. Leveraging frictionless solutions will help seamlessly authenticate a user when accessing organizational resources, establishing trust at the time resources are being requested.

The frequency and impact of data security incidents will continue to grow until organizations adopt more advanced security controls. Innovation within authentication solutions will be imperative to support future security programs that are resilient in the face of ever-evolving threats.