Authentication is imperfect and passwords are here to stay … for now.
In my past life, I was an application security engineer and consultant, dividing my time between coding security products and breaking others’ systems and products as a hacker-for-hire. Securing access was my bread and butter, and I could talk your ear off on topics like session hijacking and SSL/TLS (Secure Sockets Layer and Transport Layer Security respectively) flaws. More recently, I have built authentication services dedicated to keeping OneLogin’s customers’ apps and data secure.
I root for the Password Champion: the security warrior in your office who diligently and fiercely works to protect access to everything, applies strong password policies on all apps and devices, and educates people on the risks of abusing passwords such as with post-it notes.
But even a good Password Champion can get some things wrong. Here’s why.
First, we have to accept that authentication is imperfect and passwords are not going away so quickly. A key challenge in eliminating passwords is that too many SaaS providers still don’t offer token-based sign-in such as with SAML or OpenID Connect. On top of that, many enterprises still have dozens - if not hundreds - of legacy applications that require passwords. It will take some enterprises a long while to migrate off of these legacy apps which use application-specific passwords, and do not support requirements such as password complexity or password expiration.
In addition, passwords make for only a small part of a strong security posture. Security is only as strong as its weakest link, and on some systems, passwords may be a good attack vector. Real-world attackers are more likely to use alternate attack vectors to get around passwords: some common ones are:
- application vulnerabilities
- social engineering
As a hacker, I found vulnerabilities like default or easy-to-guess passwords a fun #fail that made my work much easier. If that attack vector didn’t pan out, I could usually get around the authentication flow, or gain basic privileges and escalate them for admin access.
Being a true password champion means applying password best practices while having a modern approach to access management that is more holistic than a password management tool or a password education campaign.
Here’s what you’re doing wrong and how to fix it. To illustrate, let’s use the classic security triangle: People, Process, and Technology.
Enterprises invest in education like training for compliance reasons, but often overlook enabling people with self-service for password reset and self-registration of MFA. In addition, companies combat shadow IT, but don’t offer an alternative such as faster onboarding of business apps. For example, your employees need to use LinkedIn and Twitter for business, so provide them with a safe way to manage passwords for those personal apps.
Think marathon, not sprint. Some SaaS providers still don’t offer token-based sign-in such as SAML-enabled login. Enterprises need to gradually consolidate passwords, ideally to a single set of corporate credentials for apps, networks, and devices. Similarly, access management should be unified and holistic across the entire organization with user information and privileges.
Password best practices are not hard to follow and apply, and they are an important part of your security practice. Having said that, don’t stop there, and don’t look for a silver bullet. Look for a platform, not a tool, for the wide variety of use cases and for supporting complete authentication and access management scenarios across the enterprise. For example, a single platform can make it much easier to provide password reset self-service to your entire user base.
In summary, being a true password champion goes well beyond password best practices. Enterprises that fail to deploy today’s front-line access management solutions across their orgs - enabling people, planning for a continuous effort, and seeking a full platform solution - are at serious risk and will lose out.