By Jackson Shaw, VP of product management for One Identity
Facial recognition and fingerprint scanning for device authentication are no longer futuristic concepts reserved for James Bond movies. In fact, biometrics seem to be gaining ground over their inferior cousin, the password, by the day. So, why do we all still have more passwords than we would care to remember? And whatever happened to the much-hyped “death of the password”?
Three burning questions that dog the authentication discussion are:
- Why are we still using passwords when there are so many more secure options out there?
- Will biometrics ever become the standard for authentication?
- Assuming passwords are here, for at least a little while longer, how can I make them work for me?
Why are we still using passwords?
To understand why we are still using passwords, we need look no further than human nature. We like what we are comfortable with and resist change.
Since the very inception of networked computing, there has been a need for user authentication in order to access systems and data, and the easiest authentication to build into a system is the password. All you need is a directory and a few simple technologies to enforce the security. Consequently, the vast majority of systems use password authentication as the default — and in many cases, password authentication is the only option.
For those of us purchasing and implementing these applications, passwords have always been good enough… until they weren’t. The people that rely on these systems are comfortable with passwords. They have all kinds of tricks to help them remember their passwords (which, by the way, is often the reason passwords are the weak link in the security chain). And passwords are cheap – often password-based authentication is built into the systems that we rely on. Implementing a more secure or convenient authentication method will only add expense, management overhead, and possibly user dissatisfaction.
In addition, consider the fact that most organisations rely on older systems that default to password-based authentication. Switching to biometric enabled systems can be expensive, or require long deployment and integration cycles, and often comes across as an effort to fix something that isn’t broken. Not to mention that when multiple legacy systems are in play, those challenges are magnified many times over.
So why are we still using passwords? My opinion is, quite simply, because it’s good enough. Until there is a compelling event, technological breakthrough, or regulatory mandate forcing the issue, passwords will remain king.
Will biometrics become the new standard?
I believe that, yes, biometrics will eventually become the new standard. But only after enough password-based breaches hit enough organisations with enough negative effect that they are forced to implement stronger forms of authentication.
But I would also argue that multi-factor authentication (an approach in which biometrics is becoming a key player) is quickly becoming “a” standard, if not “the” standard. More and more organisations today are implementing the need to supplement the single factor of something you know (the password) with a second factor of either something you have (such as a smart card or OTP token), and more recently another factor could be something you are — otherwise known as biometrics.
Since second factors of the “something you have” variety are easier to implement and more easily integrated with legacy systems, I would expect continued growth in one-time passwords (OTP) and smart card authentication, while biometrics slowly gains ground.
So maybe the correct answer to this question is: multi-factor authentication will become the standard quickly, with biometrics being incorporated into a fraction of those use cases…at least for the foreseeable future.
How can I make passwords work for me?
Authentication technologies, whether they be password or biometrics, exist for one purpose – to secure access to systems and data. With the death of the password being greatly exaggerated, there is a compelling need to find ways to use them better. In other words, we need to find ways to ensure that passwords fulfill their purpose and work for your company’s security processes. Recent NIST guidelines provide cool alternatives to the strict rules we’ve been told to abide by when setting a strong password. For example, use a long phrase rather than a distorted version of your pet’s name. However, many legacy systems simply don’t provide the flexibility to implement these dramatically different password policies. But there is hope. Here’s some ideas:
- Add multi-factor authentication. There are many options available for a two- or three- factor in authentication, and making sure that it fits with the culture of your organisation is the best way to ensure that users will be able to seamlessly gain access to their work without having it disrupt their workflow.
- Reduce the number of passwords you use — but change them frequently. Much of the trouble with hacked passwords is that they are easy to discover. This can be the result of poor practices such as never changing a password or the use of social engineering to guess them. However, a single hard-to-guess password that is changed often, and applies everywhere is an ideal remedy to their traditional weaknesses. Single sign-on and directory consolidation are fairly easy and common technologies that achieve this end.
- Take advantage of all your options. When implementing new systems, be sure that they support the standards necessary for adding multi-factor authentication to the mix and ensure that the policy you enforce for accessing those systems uses all the options available to you.
So, while the death of the password may be highly exaggerated for now, authentication is evolving, and biometrics will slowly become the new standard of the future. Set yourself up today to seamlessly and securely move into the password-less world, for when it finally arrives.