Authentication Is Imperfect, But Passwords Are Not Out
Below Jonathan Bennun, product strategist at OneLogin and ex-hacker discusses the current IT sphere, cyber security progress and the open vulnerabilities of today’s tech.
As a hacker, I found vulnerabilities like easy-to-guess passwords made my work much easier. If that attack vector didn't pan out, I could usually get around the authentication flow, or gain basic privileges and escalate them for admin access. We must accept that these vulnerabilities – imperfect authentication and passwords - are not going away anytime soon, and businesses must take steps to strengthen their security posture with this in mind.
A key challenge in eliminating passwords is that too many SaaS providers still don’t offer token-based sign-in such as with SAML or OpenID Connect. On top of that, many enterprises still have dozens - if not hundreds - of legacy applications that require passwords. It will take some enterprises a long while to migrate off these legacy apps which use application-specific passwords, and do not support requirements such as password complexity or password expiration.
In addition, passwords make for only a small part of a strong security posture. Security is only as strong as its weakest link, and on some systems, passwords may be a good attack vector. Real-world attackers are more likely to use alternate attack vectors to get around passwords. Some common ones are:
- Application vulnerabilities
- Spearphishing
- Social engineering
Being a true password champion means applying password best practices while having a modern approach to access management that is more holistic than a password management tool or a password education campaign.
Here’s what businesses are doing wrong and how they can fix it. To illustrate, let’s use the classic security triangle: People, Process, and Technology.
People
Enterprises invest in education like training for compliance reasons, but often overlook enabling people with self-service for password reset and self-registration of MFA. In addition, companies combat shadow IT, but don’t offer an alternative such as faster onboarding of business apps. For example, your employees need to use LinkedIn and Twitter for business, so provide them with a safe way to manage passwords for those personal apps.
Process
Think marathon, not sprint. Some SaaS providers still don’t offer token-based sign-in such as SAML-enabled login. Enterprises need to gradually consolidate passwords, ideally to a single set of corporate credentials for apps, networks, and devices. Similarly, access management should be unified and holistic across the entire organization with user information and privileges.
Technology
Password best practices are not hard to follow and apply, and they are an important part of your security practice. Having said that, don't stop there, and don't look for a silver bullet. Look for a platform, not a tool, for the wide variety of use cases and for supporting complete authentication and access management scenarios across the enterprise. For example, a single platform can make it much easier to provide password reset self-service to your entire user base.
In summary, being a true password champion goes well beyond password best practices. Enterprises that fail to deploy today’s front-line access management solutions across their orgs - enabling people, planning for a continuous effort, and seeking a full platform solution - are at serious risk and will lose out.