Passwordless is the right direction even if it’s not your final destination.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Back in 2004 we were promised "the end of passwords" – why, then, are we still struggling with them today?
Users have been burdened with unrealistic expectations when it comes to their part in maintaining enterprise security. Given the massive rise in the threat landscape, it is time for Infrastructure to adopt a user-experience-based approach if we want to move the needle on improving security posture.
"If you buy the premise…you buy the bit."
Johnny Carson
Build the case, both to business stakeholders and end users, that "password" is not a synonym for "security."
Be ready for some objection handling!
"There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
Bill Gates
A massive worm attack against ARPANET prompted the initial research into password strength
Password strength can be expressed as a function of randomness or entropy. The greater the entropy the harder for an attacker to guess the password.
Table: Modern password security for users
Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects
From this research, increasing password complexity (length, special characters, etc.) became the "best practice" to secure critical systems.
Image courtesy of Randall Munroe XKCD Comics (CC BY-NC 2.5)
It turns out that humans however are really bad at remembering complex passwords.
An Intel study (2016) suggested that the average enterprise employee needed to remember 27 passwords. A more recent study from LastPass puts that number closer to 191.
Over the course of a single year, researchers at the University of California, Berkeley identified and tracked nearly 2 billion compromised credentials.
3.8 million were obtained via social engineering, another 788K from keyloggers. That's approx. 250,000 clear text credentials harvested every week!
The entirety of the password ecosystem has significant vulnerabilities in multiple areas:
Even the 36M encrypted credentials compromised every week are just going to be stored and cracked later.
Source: Google, University of California, Berkeley, International Computer Science Institute
22B hash/s"> Image courtesy of NVIDIA, NVIDIA Grace |
|
Image: IBM Quantum System One (CES 2020) by IBM Research is licensed under CC BY-ND 2.0 |
|
"Give me a place to stand, and a lever long enough, and I will move the world."
Archimedes
Chances are you are already paying for one or more of these technologies from a current vendor:
Global Market of $12.8B
~16.7% CAGR
Source: Report Linker, 2022.
Passwordless technologies focus on alternate authentication factors to supplement or replace shared secrets.
Something you knowShared secrets have well-known significant modern-day problems, but only when used in isolation. For end users, consider time-limited single use options, password managers, rate-limited login attempts, and reset rather than retrieval requests. On the system side, never forget strong cryptographic hashing along with a side of salt and pepper when storing passwords. Something you haveA token (now known as a cryptographic identification device) such as a pass card, fob, smartphone, or USB key that is expected to be physically under the control of the user and is uniquely identifiable by the system. Easily decoupled in the event the token is lost, but potentially expensive and time-consuming to reprovision. Something you are or doCommonly referred to as biometrics, there are two primary classes. The first is measurable physical characteristics of the user such as a fingerprint, facial image, or retinal scan. The second class is a series of behavioral traits such as expected location, time of day, or device. These traits can be linked together in a conditional access policy. Unlike other authentication factors, biometrics DO NOT provide for exact matches and instead rely on a confidence interval. A balance must be struck against the user experience of false negatives and the security risk of a false positive. |
Does the solution support the full variety of end-user devices you have in use?
Can the solution be configured with your existing single sign-on or central identity broker?
Users already want a better experience than passwords.
What new behavior are you expecting (compelling) from the user?
How often and under what conditions will that behavior occur?
Where are the points of failure in the solution?
Consider technical elements like session thresholds for reauthorization, but also elements like automation and self-service.
Understand the exact responsibilities Infra&Ops have in the event of a system or user failure.
As many solutions are based in the public cloud, manage stakeholder expectations accordingly.
"Move the goalposts…and declare victory."
Informal Fallacy (yet very effective…)
Get the easy wins in the bank and then lay the groundwork for the long campaign ahead.
You're not going to get to a passwordless world overnight. You might not even get there for many years. But an agile approach to the journey ensures you will realize value every step of the way:
"Backup Vs. Archiving: Know the Difference." Open-E. Accessed 05 Mar 2022.Web.
G, Denis. "How to Build Retention Policy." MSP360, Jan 3, 2020. Accessed 10 Mar 2022.
Ipsen, Adam. "Archive Vs. Backup: What's the Difference? A Definition Guide." BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.
Kang, Soo. "Mitigating the Expense of E-Discovery; Recognizing the Difference Between Back-Ups and Archived Data." Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.
Mayer, Alex. "The 3-2-1 Backup Rule – An Efficient Data Protection Strategy." Naviko. Accessed 12 Mar 2022.
Steel, Amber. "LastPass Reveals 8 Truths about Passwords in the New Password Exposé." LastPass Blog, 1 Nov. 2017. Web.
"The Global Passwordless Authentication Market Size Is Estimated to Be USD 12.79 Billion in 2021 and Is Predicted to Reach USD 53.64 Billion by 2030 With a CAGR of 16.7% From 2022-2030." Report Linker, 9 June 2022. Web.
"What Is Data-Archiving?" Proofpoint. Accessed 07 Mar 2022.