Tony Lock, originally published on Computing
The operating habits of users render passwords as the primary mechanism to secure any application or desktop of little real value. We live today in a world where it is possible to create credential-stealing malware from “do it yourself” kits available on the Internet and where high profile organisations are routinely targeted by criminals. These developments coupled with the fact that users also appear happy to trade passwords for a bar of chocolate in railway station surveys, begs the question, is the era of password authentication finally coming to a close?
From the first time systems administrators looked to restrict access to applications, the default authentication mechanism has been the “password”. Since then, passwords have been proven time and again to be far from foolproof. Everyone recognises that short passwords based on easily guessed names etc., which sometimes appear to be all that many users can memorise, are easily cracked. Where administrators have policies to weed out weak passwords by insisting on minimum lengths, character requirements and password lifetimes, it is by no means unusual for users to employ the ‘ultra-secure’ yellow sticky note to keep the latest login credentials handy. In fact, it is straightforward to argue that long passwords which are regularly changed lead to more security problems than a reasonable password that is kept confidential.
Considering the computers that users routinely use in everyday business, it is now common for business laptops and desktop machines to include fingerprint scanners. This provides users with either a supplement to or an alternative to traditional password authentication systems. Indeed, fingerprint recognition is now often found even on machines targeting the consumer market, and not only PCs but many tablets as well. In addition several vendors now provide capabilities to employ smartcard authentication mechanisms.
Given that alternatives to password authentication on computers are widely available in large parts of the installed base, why is it that the active use of any additional form of authentication appears to be sporadic? Part of the reason could well be that few enterprise systems management tools are easily able to exploit such technologies in the central authentication repositories, although this is changing.
A more likely explanation is that there is little discussion or co-ordination inside many organisations around how robust the security of their desktop and laptop machines needs to be, or what form it should take. In companies where security is essential, it is becoming more common, for at least certain categories of users, to employ some form of additional authentication beyond the password, quite often by utilising a one-time-password system, such as a key-fob display or by sending one time passwords to mobile phones via SMS.
This does raise the question of why such systems are not more widely deployed, especially as recognition is growing of the need to protect better any sensitive data held on systems. It is clear that few users are happy to employ additional authentication protocols, as many believe these to add complexity to their logon processes.
This is a problem, as research we have carried out over the years highlights that few people outside of IT and compliance / auditor functions understand the business requirements to secure their systems robustly. Educating all users on the importance of IT security, and the steps they should adopt in their daily use of computers, has clear benefits by raising understanding, which ultimately helps improve all aspects of data security. Even with better authentication systems, inappropriate usage of systems remains a major risk to organisations.
It remains to be seen whether the increasing raft of privacy regulations and other compliance and governance requirements will force organisations to ramp up PC security authentication. This could trigger the adoption of secondary authentication mechanisms and anyone that does not take steps may be placing the organisation at risk. Should they do so, we are likely to see a rapid take up of secondary authentication put in place alongside more robust password requirements. One obvious place where regulatory pressure may actually force organisations to implement something they arguably should be doing anyway is the requirement to better protect their business assets. Such moves would also help protect and the company’s brand reputation, a clear priority for many organisations.