Passwords have been a method of authentication well before the invention of modern-day technology and cybersecurity; “watchwords” were once used by ancient societies to grant entry to exclusive spaces and prevent outsiders from gaining entry. Today we use passwords to protect sensitive information, verify our identities, and restrict access to our accounts – there’s just one problem – passwords alone simply do not do enough to prevent unauthorized access.
While passwords are not going away entirely anytime soon, to truly protect sensitive data consumers, SMBs, and large enterprises will need to augment their use of passwords by implementing Multi-Factor Authentication (MFA) methods in their data loss prevention plans. With MFA, unauthorized access can be prevented by using multiple forms of verification in conjunction with one another.
Identity As A Service And The Problem with Passwords
In theory, passwords are a unique string of characters that are known only to the intended user. Unfortunately, truly unique passwords can be difficult to remember and according to the LastPass Psychology of Passwords Report, a shocking 59% of surveyed users reuse the same password, leaving all of their accounts and sensitive data vulnerable should their password be leaked through a data breach. Upon launch of the much anticipated Disney+ streaming services, thousands of accounts were thought to be compromised in a data breach. Upon further investigation of the incident, Disney found no evidence of an internal breach. It has been speculated that these accounts were compromised by users using the same usernames and passwords that were previously stolen in previous breaches.
For anyone that has a history of reusing login credentials, the donation-driven service Have I Been Pwned can alert you when services that have accounts associated with your email have been breached.
Another vulnerability of passwords is the need for a database to store them. While a wide array of encryption technologies exist to obfuscate and protect the passwords, a compromised database will often eventually have its usernames and passwords decoded and leaked, leaving accounts on other services using the same passwords open to access by unauthorized users.
Identity as a Service (IDaaS)
Identity as a service (IDaaS) providers such as OneLogin and Centrify help secure and manage online identities for organizations through identity and access management (IAM) features including single sign-on (SSO) technologies that allow their clients to manage a large number of users and their permissions. IDaaS providers will also typically offer features for auditing user credential use behaviors.
User-generated passwords are often easy to guess, reused, or left in an unsecured central location such as a notebook, spreadsheet, or word document. Password managers such as 1Password, LastPass, and KeePass aim to address these vulnerabilities by generating secure and unique passwords for each login and storing them behind a single master password or other authentication methods such as biometrics.
Password managers give users the security of unique passwords while only requiring them to remember a single “master password”, allowing them the convenience of having a single password without the related vulnerabilities.
In the context of authentication and security, “biometrics” refers to using our unique biological features - fingerprints, faces, and voices - to verify our identities. Biometrics are already in common use as an authenticator in consumer technology - Apple’s Face ID and built-in fingerprint scanners on cell phones such as the LGG6 being prime examples.
Biometrics are more difficult to manipulate than standard text-based passwords, but even they are not entirely unbreakable. Though unlikely, if a user’s biometric identity is stolen the implications are as severe as if their identity was stolen. A leaked password can be reset to a new password - a user’s fingerprints are not so easily changed.
Another drawback to biometrics is that the implementation of biometrics is not always readily feasible, requiring specialized hardware or software to enable their use, making much less ubiquitous than text-based passwords that can be used with readily available keyboard hardware and software.
When available, biometrics can be used in conjunction with other technologies such as Password managers. Providers of password management software such as LastPass and 1Password allow users with biometric-enabled smartphones to use their registered fingerprints in place of their master passwords.
Hardware tokens - also known as security tokens - are physical devices such as key fobs, smart cards, and USB drives with unique authentication software intended to work in conjunction with other security measures to restrict access to unauthorized users.
To prevent security breaches from hardware tokens being lost, stolen, or inappropriately borrowed, they are typically used as part of a multi-factor authentication strategy alongside unique Personal Identification Numbers (PIN), passwords, or other authenticators.
Knowledge-Based Authentication (KBA)
Knowledge-based authentication is used in multi-factor authentication processes as an added security measure. KBAs often take place in the form of “secret questions”, with answers that are unique to the user.
The key flaw of KBAs is that the answers to common pre-determined (static) secret questions such as “how many pets do you have” and “what is the name of your oldest niece” can oftentimes be inadvertently revealed on social media or in casual conversation. This can be mitigated by using dynamic KBAs, whereby questions are generated from a larger master list of available data and the user is given limited time to answer the question, reducing the opportunity for unauthorized users to simply research the answers.
One-Time Passwords (OTP)
One-time passwords (OTP) come in a variety of forms and are often used as part of a 2-Factor (2FA) or Multi-Factor (MFA) authentication strategy. Typically, a user logs in with their normal password and they are then prompted to provide a secondary OTP generated through methods such as randomized codes provided via SMS messages or a 2FA code generator such as Authy or Microsoft Authenticator.
Identity As A Service: What Should I Do Next?
Now that you have an overview of potential options for authentication security, you will need to decide what options are the right fit for you or your organization. Consumers and organizations alike should absolutely leverage the added security of Multi-Factor Authentication (MFA) measures to improve upon the vulnerabilities of using passwords alone. Larger organizations working with sensitive data will benefit greatly from the features of an Identity as a Service (IaaS) provider to outsource the tech and processes required to adequately manage large-scale user permissions, and consumers working to improve their password hygiene can get started by signing up for alerts from Have I Been Pwned and using a password manager to generate unique and secure passwords for each of their services.