VIEWPOINT
ARE PASSWORDS HERE TO STAY? RAJESH GANESAN, VICE PRESIDENT, MANAGEENGINE, SAYS WE ARE NOT QUITE READY FOR PASSWORDLESS SYSTEMS.
do store users’ biometric data, it’s wise to utilise hashing or blockchain technology to protect this data. Nevertheless, unlike passwords, biometric data—be it irises, faces, or fingerprints—cannot be replaced. For the time being, passwords are here to stay; however, there are some important things to consider.
S
eeing as we’re on the cusp of driverless cars, humanmachine integration, and groundbreaking robotics, it’s somewhat surprising that we’re still relying on passwords. Although passwordless authentication options are gaining prominence, there’s a reason why we’re still using passwords 60 years after their inception: they’re effective. Unlike facial recognition and other biometric solutions, passwords are either completely right or completely wrong. Currently, biometrics require a margin of error; for example, it has been shown that people can open their relatives’ phones via facial recognition apps. Even more importantly, if one’s biometric data is ever compromised, it can never be replaced. Unfortunately, we have already seen a major breach of biometric data. Last August, web privacy company vpnMentor discovered a breach in Suprema’s security platform, Biostar2, which exposed facial recognition data and fingerprint records for 1 million people. According to vpnMentor, Suprema saved exact copies of users’ fingerprints, potentially compromising these individuals’ biometric information forever. For companies that
Multifactor authentication is key Whether you use password-based authentication or not, your organisation should require multi-factor authentication (MFA). There is no excuse not to employ MFA, especially with the current proliferation of applications that enable such services. Do not require mandatory password resets If your organisation does have MFA in place, you definitely should not require the mandatory password resets. In fact, such requirements arguably make your network less safe, as employees tend to write their passwords on Post-It notes at their work stations, and resort to using similar passwords, as well as passwords that are easy for hackers to guess. As a caveat, if employees change roles within your organisation, it may make sense to require a password reset. Ideally, this reset request should be automated as part of the transfer process. Require complex passwords Given that password brute force attacks are still the most common form attack, it is still important to require complex passwords and disallow weak passwords. The NIST recommends requiring long, complex passwords that employees haven’t used in the past. Manage privileged accounts separately It is wise to consider utilising an enterprise grade password manager to
stay on top of password security issues. Additionally, as privileged accounts are typically shared by a few people in an organisation, you should consider having a separate program to manage the passwords for these privileged accounts. To get certain tasks completed, your system administration should be able to elevate privileges for any given user for a set period of time, and if necessary, the system admin should be able to disable direct authentication to all privileged accounts. Look into passwordless authentication options Despite the effectiveness of passwords, wherever possible you can look to eliminate or disable password based authentication. Passwordless authentication, such as one-time passwords (OTPs) sent via email and SMS, are becoming increasingly popular. If you decide to introduce a passwordless authentication option for select business accounts, be sure to consider employing two or more options; this way you can effectively remove passwords without compromising your security. Conclusion Until passwordless authentication options and biometric solutions become more advanced, it is wise to rely on long, complex passwords and multi-factor authentication. Unlike passwords, biometric solutions—fingerprint modules, iris scanners, and voice recognition systems—require a margin of error. Additionally, as we saw in the breach of Suprema’s biometric database, if such an event does occur, users’ sensitive biometric data is compromised for life. Put simply, for the time being, passwords are the safest route for your organisation to take from a security perspective.
JUNE 2020
CXO INSIGHT ME
31
