ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Eliminating Passwords in the Enterprise

Eliminating Passwords in the Enterprise

Mike Waddingham
| Posted at 3:09 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (8)

Passwords can be a pain for everyone. They are not secure and are prone to misuse. Isn’t it time to get rid of them entirely?

While issuing an enterprise credential with a strong password is fairly easy to accomplish, managing that password over the credential's lifetime is more difficult. User password resets, compromised passwords and a lack of synchronized passwords across enterprise systems all cause problems for users, IT departments and security professionals.

And users truly hate passwords. There are too many to remember, each system has different rules, and there is a lack of standards for reset processes.

A positive associated with passwords is that they are well understood by both providers and end-users. They offer portability, through reuse and single sign-on, and are supported by all identity and access management (IAM) platforms. Corporate policies for using passwords with credentials are also well established.

But, usability and security of password-backed credentials are in decline and a passwordless future is something that keeps coming up in the IAM conversation. So what will it take?
I do not believe it will be any one technology or single method that replaces passwords in enterprise access management. There are simply too many user, business, application and compliance requirements out there for a one-solution-fits-all scenario.

In the online world we have an embarrassing number of authentication options. Biometrics examples include the iPhone fingerprint reader and the up-and-coming Nymi band. Hardware tokens have been here for a while. Smartphone tokens work fairly well. And this stuff is not really all that new—in 2007 I blogged about authenticators such as fobs, proximity cards and USB tokens.

With all of these options, it does not seem likely that any one technology will swoop in to corner the market and single-handedly replace passwords. But that's okay—I don't think we need a killer authenticator or login process. A better option is a flexible IAM solution that offers adaptive (or context-based) authentication.

Today, access management systems provide a traditional username plus password credential:

Figure 1 - Traditional Access Management

The access manager software has logic that determines that a username and password are required, and both must match the entry in the directory—pretty straight-forward stuff. But this is an old approach, invented when users’ screens were green and bellbottoms were cool.

If we want to eliminate passwords, we need a better access manager—one that supports adaptive authentication.

Let's say we want to improve the experience by accepting either a username plus password, or a username plus equivalent authenticator. And, let's assume we have issued mobile phones with contact-less technology to our users. In this case, the adaptive authentication process might work something like this:

Figure 2 - Adaptive Access Management

The access rules (white boxes) direct the authentication process. (This is a simple case—using adaptive access management, you can extend this flow to include multiple authenticators and checks.)

As products mature, the flexibility to add logic and capabilities to these processes will increase. The more rules you implement, the more secure—yet potentially just as easy—the access can become.

Wait: you mean secure OR easy right? Isn't there always a trade off? Well, the implementation of adaptive authentication technology may be difficult, but the user experience can be simplified. If all we need is to eliminate passwords, then the alternate authenticator needs to be as strong and, hopefully, easier to manage. If the contact-less smartphone is that authenticator, we meet or improve on both security and ease-of-use.

The point is that the combination of authenticators—aligned with the level of assurance required by the network, application or service—is what matters. It does not matter that a password is involved.

Once the right technology is implemented, the process to migrate away from passwords is fairly straightforward: offer users an option to log in with their phones and watch the migration occur on its own. In six months, force the switch and you have eliminated passwords entirely.

There is a catch (of course). The organization's password and access policies will need to change. In my experience, these policies are specific to passwords (length, composition, etc.) and cannot support adaptive authentication as I have just described.

It is critical to create policies and standards for authentication assurance (and identity proofing), based on the sensitivity of information. The types of rule sets necessary to implement compliant adaptive authentication can then be based on clear policy. IAM expertise is needed to do this effectively.

Because business, IT architecture, security and privacy teams need to be on board, the benefits and risks associated with adaptive authentication need to be understood. Critically, the organization’s leadership also needs be informed of the risks of current password-based access management in order to secure support. All this takes time and skill to do well.

Adaptive authentication, revamped policies and senior management support—that's what it will take to eliminate passwords. Are you ready to say goodbye to your passwords?

Mike Waddingham
President, Code Technology Corp.


Other securities

But what about the simple scenario that username is human-readable, the lock code (or pattern) in smartphone is simple and the malicious person steals the smartphone? Or if the hacker gets access to smartphone and can read one-time tokken? Or are these just too complex compared to stealing/hacking traditional credentials?
Gintautas Pusinskas at 3/25/2015 4:49 AM

re: Other securities

Enterprise controls such as requiring passwords on smartphones can be enforced so that simple locks are not allowed.

Theft of a phone is a potential issue but mitigated by a user's requirement (and motivation) to report loss and have it disabled/wiped remotely.

Of course, if the information is highly sensitive, the adapted access management solution would (automatically) force two-factor authentication. This could include biometrics (something you are) or a shared secret (something you know) that, hopefully, isn't a password!
Mike Waddingham at 3/26/2015 1:15 PM

Cost of implementing controls

Very insightful article. In my opinion, the major setback to alternatives to user passwords such as proximity cards, USB tokens and biometric controls is the cost of implementing such controls versus the associated risk(s).
This would be very appropriate in high risk environments such as Banks or National Security agencies but may be hard to justify in a small to medium size organization.
Tapiwa201 at 3/31/2015 4:44 AM

Didn't charge their smartphone overnight?

Interesting... But what about the more obvious situation where someone's smartphone battery runs dead...  The unavailability of the smartphone can't block access to a business critical application and prevent people from doing their jobs.   There's where the hardware tokens (e.g. RSA SecureID) have an advantage I think?
Campbell at 4/1/2015 8:24 AM

Re: costs

Until NFC readers become much more common the cost of implementing the solution (in my example) will need to be calculated as part of the cost/benefit and risk analyses. However, that analysis may show cost savings and improved security that will off-set the cost of readers.

Mike Waddingham at 4/4/2015 10:20 PM

Re: uncharged smartphone

The solution would need to be supported by processes that allow access even when the primary device is 'dead'. Even an token can fail, and so token-based solutions need fall-back access methods, for example, one-time access codes supplied by a help desk for authentication (once the user identity has been verified).

Of course -- perhaps more to your point -- if the phone is dead it makes it tricky to call the help desk doesn't it?  :)

Mike Waddingham at 4/4/2015 10:25 PM

Good idea

Password is something that only you know and your system knowed  or it create every time that you connect. well, maybe hackers know it  too.
Then it  shouldn't  to be only something that I knew or I had.  No password it's a good idea for to work in future ,the man has the ability to create and innovate
Xavier750 at 4/6/2015 4:01 AM

biometric as best alternative for password

I think you come with a good idea as password uses of which u should keep on changing it periodically become more dificult. but also the risk and accesibility of mobile phone Whenever needed is stil not certain..! I think the better and secure alternative for password uses is biometric (whu u r) whether iris, fingure print.. etc, companies and pc makers should rethink to design the access point which allow the user to use biometric      option as alternative to password, and system developet should also take that option in their system they develop.
ANTHONY650 at 4/11/2015 3:13 AM
You must be logged in and a member to post a comment to this blog.