Comment: Passwords Are No Longer Enough

Howes says, regardless of what authentication method you opt for, make sure the solution is as intuitive and accessible to the end user as possible, otherwise it will be circumvented
Howes says, regardless of what authentication method you opt for, make sure the solution is as intuitive and accessible to the end user as possible, otherwise it will be circumvented

Protecting sensitive data has never been more important in a world where WikiLeaks looms large and the explosion in mobile data access means that even the ultra-traditionalists governing the House of Commons have consented to MPs using tablet computers in the chamber.

Given that Parliament has given the thumbs up to tweeting from within the house, its surely high-time the same modern thinking was applied to answering whether the authentication solution you rely on to protect your data is up to scratch.

Recent research by Forrester Consulting on behalf of Symantec suggests it might not be. The survey, which covered more than 300 businesses, found that a third were still happy to rely on the very weakest form of authentication – passwords – to grant external access to their networks.

The report’s authors described the use of traditional password verification as “antiquated” in the era of cloud computing, collaboration tools and smartphones, and I’d have to agree. One reason for this is that even this most basic level of authentication is frequently misused.

People remain the weakest link in any security set-up, and in a bid to beef up protection, passwords have been lengthened and made more complicated. As humans, the majority of us lead hectic lives – MPs or not – and we simply can’t remember long strings of numbers easily. The result is that they get written down or simplified, rendering a weak form of authentication redundant in security terms.

Forrester also found password issues are the top access problem businesses face, with forgotten passwords being common. Forgotten passwords are more than simply an inconvenience, they’re a cost too. Research firm IDC puts the cost of a reset at £30 per incident when lost productivity and associated support functions are factored in.

Putting aside the enormous reputational risk you run if data is compromised due to weak password protection, demonstrated at the start of this year by Vodafone Australia, there’s now a significant cost of another magnitude to face. Last November the Information Commissioner’s Office demonstrated beyond doubt that it is far from a toothless tiger, hitting Hertfordshire County Council with an eye-watering £100,000 fine relating to the accidental distribution of sensitive personal information.

Since then it has continued to bare its fangs, and in February Ealing Council was hit with a £80,000 fine and Hounslow Council was charged £70,000 for losing laptops that contained sensitive personal data.
Given all of this, now is very much the time to challenge the status quo. The question then is not so much what is the best authentication solution (although most are preferable to a login and password set-up) but rather how you wish to use it; what you’re using it for; how risky an environment you’re operating in; and how frequently you’ll be using the solution? Employees who infrequently use your authentication solution tend to forget what to do, nullifying the benefits of being able to access data on the go.

So what are the alternatives? Smartcards and key codes can’t address remote or mobile authentication. Historically tokens, which generate a one-time passcode, were a secure and familiar authentication technology. However, the acquisition and maintenance of these hardware devices comes at a cost, which has become significant in recent years as more employees demand to work from home.

The convenience of such a system is also relatively low due to the need for users to carry around an additional piece of hardware to ensure authentication and data access. Recent headlines have also demonstrated that the integrity of the token product itself can be thrown into doubt after a successful cyberattack and data theft from the vendor behind them.

While biometric authentication is an interesting development, in my mind it will probably remain niche for the foreseeable future.

Solutions that send an SMS to a device, such as a mobile, are certainly ahead of passwords in terms of performance, but they can’t provide 100% authentication alone, as devices can be stolen and cellular coverage is patchy.

To this end there are a number of visual options in the marketplace, where users remember a shape, face or pattern rather than password to generate a one-time passcode. Studies by the Department of Computer Science at University College London have found people find it much easier to remember a pattern than a string of numbers. Being software-based, there are also advantages in rolling out this extra layer of security quickly across networks; there is also a cost saving because there’s no need to purchase or deploy tokens.

Regardless of what you opt for, by far the most important thing is to make sure your chosen solution is as intuitive and accessible to the end user as possible, otherwise you can guarantee it will be circumvented – and that’s no value to anyone at all. With ever-increasing regulation and the threat of hefty fines, now is the time to make sure you have the correct authentication in place and to consign passwords where they belong – to a computing age before smartphones and tablets.

Stephen Howes founded GrIDsure in 2006 having created and patented a unique pattern-based technique for user authentication. As the company’s CTO and initial CEO, Howes has lead the company through many milestone successes. He is a technology innovator with over 25 years of experience designing, developing and implementing carrier and enterprise-grade infrastructures and solutions across the globe. As the former director of global product engineering and infrastructure systems at UUNET, Howes was at the forefront of developing internet infrastructure for over 65 countries, delivering core infrastructure systems to ISPs, multinational companies and governments.

What’s hot on Infosecurity Magazine?