Introduction: As professionals in the authentication space, we stay up to date with technology providers and their solutions. For this post I have invited Josh Cornutt, Director of Software Development at WWPass to discuss whether it's time to get rid of passwords all together, and the challenges associated with doing so.
Abby Porter, Director of Product Management, Delfigo: There has been a lot of recent discussion on the lack of security around passwords, especially since so many users choose easy-to-guess combinations that leave their accounts vulnerable to breaches. Both traditional passwords (words typed using the keyboard) and PINs (used on touch screen devices) are vulnerable, especially when the enterprise is reluctant to inconvenience end users with complex requirements. This issue highlights the challenges organizations continue to face with balancing security and user experience.
Josh Cornutt, Director of Software Development, WWPass: Narisi would certainly take your statement one step further by including not only weak passwords, but passwords in general. Even a strong password is still significantly weaker in comparison to technologies such as public-key cryptography or biometrics, which are now easier to use and implement in a corporate network than ever. To take this one step further, even strong single-factor authentication methods have been publicly scrutinized for still not providing enough security for the modern internet user. Multi-factor authentication is the way of future data security and there are plenty of very easy to use and powerful solutions available, why would corporations settle for anything less now? I’d love to hear your thoughts as to why you think corporations have been slow to adopt these highly secure authentication methods and continue to rely on legacy authentication schemes such as traditional username and password combinations?
Abby: In conversations with organizations who have existing password or PIN technology (which is just as vulnerable, if not more vulnerable) in place for their sites and apps, I have found that there is a lot of reluctance to inconvenience the end user, or to introduce new workflow that will be confusing. In the past I felt these conversations centered more on existing technology investments (for example, having invested heavily in tokens), but what I hear most often now is focused on the need for quick and easy authentication, and passwords and PINs are easily recognized, by users who have been conditioned to use them. I could not agree more that multi-factor authentication is the way to go, and believe that the emerging technologies in the market can actually enhance user experience. What do you see as the key drivers for adoption of multi-factor authentication?
Josh: Multi-factor authentication adoption in corporate environments seems to be largely driven by the need to meet and predict increasingly strict certification standards (HIPPA, SOX, PCI-DSS, etc…) either for their own profitability or due to other governing regulations. For instance, when a corporation goes for PCI-DSS compliance, they’re met with section 8.3 of the PCI-DSS 1.2 standard which states the requirement to “Implement two-factor authentication for remote access to the network by employees, administrators, and third parties”. This very plainly states that, if this company would like to move forward with PCI-DSS compliance, they will need to implement some form of two-factor authentication which will likely translate to either physical smartcard/token devices or biometrics (or both). I agree that passwords and PINs are a quick and easy form of authentication, but they open up an organization to data theft as well as the inability to achieve certain compliances. Multi-factor authentication is here to stay and as more core compliances start enforcing its use you will begin seeing it around every corner. What do you think authentication into corporate environments will look like in 2-5 years? Will we still be looking at traditional smartcard model where an employee physically carries around their identity? Do you predict the “cloud” playing a role in near-future authentication methods (everything else is moving to the cloud, why not authentication)?
Abby: I definitely see more services moving to the cloud – though it seems to be going more slowly that was predicted initially. Security-as-a-Service and Authentication-as-a-Service are extremely compelling concepts, but it's tough to get organizations to break free of the idea that it all needs to be done on premise. Still, I'm seeing major players planning for, and going to, the cloud. I think in 2-5 years we'll see a lot of traction there. In terms of what they will look like, I think we'll see a more holistic view of security focused on the user (Identity focused, as opposed to access focused), and the winning technologies will excel where user experience is concerned. This has been a great discussion. Any final thoughts?
Josh: This has, indeed, been a very great discussion. I agree with the overall prediction for Authentication-as-a-Service focusing more on user identity management instead of pure authentication/authorization as this concept matures. User experience is everything in today’s market and there are many companies racing to develop a product that can elegantly mesh secure multi-factor authentication with the most comfortable user experience. Thanks for joining me in this discussion, Abby. Until next time!