As the internet uses #PasswordDay to celebrate and patronize the 1961 Massachusetts Institute of Technology creation of the password, we at Privoro are working on our goal of ending the use of passwords within our organization.
That’s right, at Privoro we plan to take away the single most utilized tool in protecting our enterprise data and in the same bold move create a more secure data environment. We aim to empower our team with an easy, passwordless means of accessing their work environment. What a wonderful productivity gain that will be. Forget about the time lost when a team member:
- misspells their dog’s name or hits the caps lock by accident; or
- mistypes that greater than eight-alpha-numeric-symbol-with-an-uppercase-and-lowercase character password (which is hard to be a “word” in any language); or
- heaven forbid, fails to get the password right one too many times and gets locked out for 10 minutes or has to play the "email to retrieve the password" game (which can be futile in an email password recovery) or make a new password because the one forgotten and re-entered was already used and that is considered a no-no.
Our team won’t have to remember names, make up words or type in any passwords. And, our operating environment will be infinitely more secure.
For starters, passwords are bit of a problem, actually a number of problems. Industry reports estimate the typical worker spends 44 hours per year logging into an average of four applications with a username and password. Then with 70% of help desk support calls being password-related, the average company is spending $300-500 per user annually exclusively in resolution of password issues. Even more troublesome than creating extra work and headaches for employees is the rapidly growing problem of that 8-32 character string of mumbo jumbo acting as the welcome wagon for cyber criminals to hack into and access our treasured information. Hence, killing passwords makes great business sense, as a passwordless environment provides a more efficient and secure work environment by reassigning human effort and eliminating a major cyber threat vector.
No pain, no gain
The migration, however, isn’t turnkey per se as there are undoubtedly a number of ups and downs in the trial-and-error-efforts to establish the passwordless era at Privoro. The great news is our transformation has begun with our utilization of Multi-Factor Authentication (MFA), which includes Two-factor Authentication (2FA). While 2FA creates an additional step (as does the password) before accessing a system – it significantly helps in the battle against cybercrime. 2FA is available on nearly every major system, including email systems, file directory systems and even social networks. In fact, if you are not already utilizing 2FA, join the #LayerUp pledge, and get 2FA going in your environment; it comes free with most services. This will add an additional step to your login process, usually by having to enter a code sent by a text or generated by an authentication app. The benefits, however, can be priceless as 2FA gives powerful protection against cybercrimes like identity theft and social media account hijacking. While 2FA sounds great and helps secure our information, it – along with additional factor authentications – undoubtedly adds steps and does nothing to eliminate the password.
Don’t judge the book by the cover
As today’s more common MFA implementations seem to extend the existence of passwords and clearly introduce more friction in accessing systems, they provide infrastructure and information essential to our passwordless destination. Emerging biometric factors, such as the cameras and fingerprint readers on newer smartphones, already enable users to forego the password by scanning a finger or snapping a selfie on a smartphone. Unfortunately, as uniquely identifiable and life simplifying as facial recognition or fingerprint scanning can make system access, these factors are vulnerable and subject to hackers with numerous compromises and breaches already well publicized. Combining multiple biometric factors, however, can greatly increase the assurance of a user to help mitigate the independent security risks of each factor. Additionally, we see challenges in a Bring Your Own Device (BYOD) to work environment like ours, where personal phones are not equipped with the necessary technology.
Actions speak louder than words
Or perhaps more accurately for this article: “Human actions or behaviors along with biometrics speak continuously and significantly stronger than passwords.” The ability of sensors in smartphones to track a user’s gait, how they hold the device or how they enter information are traits that may be accessed continuously for user authentication. Bringing these behavioral credentials along with biometric modalities like fingerprints, facial recognition or voice identification to a zero-trust environment with distributed authentication, single sign-on and privileged access management systems, essentially eliminates the need for our team members to key in passwords to access and use company resources. The idea of continual verification was announced in 2012 by the Defense Advanced Research Projects Agency (DARPA) and last Pearl Harbor Day (December 7, 2017) the United States’ Department of Information Security Agency (DISA) published this five-minute video demonstrating Continuous Multi-Factor Authentication (CMFA).
While the ability to capture and record biometric and behavioral data significantly expands the breadth of Personally Identifiable Information (PII) required for accessing resources and extends the responsibilities of handling PII to individual smartphones, the gains in workforce productivity and the reduction of user credential exposure are easily justified.
All good things come to an end
As our journey continues and we evaluate the emerging technologies to implement a CMFA or continual verification process for our business operations, our prognosis for passwords at Privoro projects they will be retired by the end of 2018. Our team members will be able to walk into the office and, with their mobile device in possession, dynamically connect to the network, sit at their workstation, open up their computer and commence working without any keystroke inputs or impediments – no password, no fingerprint, no token insertions. With this new system, our team will recover precious “login time” and our environment will be substantially safer as we raise the bar on what many experts consider to be the most vulnerable threat vector (our team members) and reinforce our mission in bringing the most secure products to market.
The moral of this article is "Kill the password before the password kills your business and/or you."
Learn more about Privoro’s mobile security products and our commitment to going passwordless today.