Solving the password problem

Attend any security conference and you’ll hear the latest piece of bumper-sticker wisdom: identity is the new perimeter. Faced with the sprawl of systems across service providers and cloud platforms, and hybrid and remote workforces that spend a decreasing amount of time in a physical office, organisations have scrambled to try and bolster their identity and access management strategies.

But, when we scratch the surface, what we see is a stop-gap approach that misses the target when it comes to solving today’s identity challenges.

The password problem

Passwords have been a part of security strategy for decades. Over time, to make life harder for threat actors, we’ve increased the complexity of password management with complex rules such as the mandatory use of different types of characters, regular expiration dates that force users to change passwords regularly and, more recently, the use of multi-factor authentication.

As well as making life more complex for users and system administrators, this approach to hardening passwords has largely neglected the core issue: are we issuing credentials that can only be used by a specific, known person?

When we issue a credential, it is assumed that the person receiving the credential and using it are the same person and that we know who that person is. But recent examples of employees outsourcing all or part of their work to cheaper labour overseas highlight that such credentials are relatively easy to share. Effectively, despite being an improvement to security, they are still susceptible to unauthorised sharing. They are the metaphoric sticky note under a keyboard for sharing logins.

Tying identity to authentication

The problem with passwords is that we rarely bind them to identity. Once a username and password combination are issued, we don’t actually know who is really using it. We trust that people don’t share their credentials but aren’t really sure.

Organisations need a way to ensure that the party using the credential is who they believe they are. There are security tools that use algorithms to detect anomalous system access that look at criteria such as login times, locations, and other behaviour but these are reactive. In order to take a proactive approach that blocks people from sharing logins, either inadvertently as the result of password theft or intentionally, we need to bind their identity tightly to the login credential.

Solving the password problem

Thus far, the two principal tools used for stopping and detecting the unauthorised use of credentials have been strengthening passwords with increased complexity and the use of multi-factor authentication, and using machine learning to detect when a credential has been used in an unexpected way.

An alternate approach is to use something that is completely unique to a user that cannot be shared. This is why a consent-based strategy using biometrics can solve many of the challenges posed by today’s password-based systems.

Before a team member is issued their login credentials, we need to ensure that their identity has been properly validated. In essence, this is like the 100-point check done by banks that ensures the person they are doing business with is who they say they are.

Once their identity is verified, the next step is capture, with their consent, of biometric data such as a fingerprint, iris scan or facial recognition. This information is then tied to the verified identity. And because it is extremely difficult to thwart a standards-based biometric system, the risk of credential sharing is greatly minimised. In addition, such a system is far easier to use and maintain.

Our dependence on passwords has made them a lightning rod for hackers. With the majority of cyber attacks initiated through stolen credentials, being able to strongly tie identity to user access minimises risk while simplifying the user experience and reducing administrative overhead for application and system owners.

Image credit: iStock.com/RayaHristova