As a user, the term ‘password’ is likely to conjure all sorts of negative thoughts, including memories of ‘forgotten password’ links, activation emails, and closed accounts. From an enterprise perspective, the word might summon scenarios of hacked employee accounts and stolen critical business data.
It’s not much more positive from the perspective of the IT department – passwords can be a huge IT headache due to high help desk volume and the exposure if an organisation is attacked after details are phished and stolen. Yet, alternative security options do exist, and the launch of Windows 8 Surface Pro tablets has highlighted the opportunity to augment existing management infrastructure to deliver more secure mobility – without passwords.
On the one hand, passwords are a means to an end, and there is no denying that they’re a useful, simple concept. In fact, they have been employed as a security method by computers since approximately 1961. The process is easy: you key in digits of your choice to gain access to whatever you have secured, it ‘unlocks’, and that’s that. Or at least it should be – the password as a single authentication mechanism has been under fire in recent years. Why?
Some of the familiar negative associations with passwords mentioned above explain part of it. Users have more passwords than they can memorise – as a result, many resort to choosing only one password for all accounts, or choosing easily guessable words. From the stance of the IT department, the pressing issue is that these passwords are vulnerable to key stroke logging or socially engineered attacks, as well as exploitation of the user’s propensity to use information that can be guessed easily (whether a pet’s name, date of birth or graduation date from Facebook).
This January, Deloitte released a report predicting that more than 90% of user-generated passwords will be vulnerable to hacking . An analysis of large password databases – cracked into by hackers and released publicly – by DataGenetics has shown that among 30.3 million passwords, an overwhelming 3.4 million were only four digits long. ‘1234’ took up 11% of them. When one security consultant researched the 10,000 most common passwords, the number one password was ‘password’.
From an enterprise perspective, the potential for hackers to crack passwords could be extremely damaging. This month’s hacking of Evernote – the note-taking app for mobile devices and computers – meant that all user passwords had to be reset. The potential to lose employee data or business and corporate data is a huge risk that businesses should not be willing to take.
It’s time to consider a different security mechanism which is as simple as passwords but more secure. If the advantages of not using passwords include a lower risk of socially engineered attacks, and lower help desk volumes, what can be done?
One solution is focusing on a device-centric model, which takes the onus off of the user and user-created passwords. The best and most timely example of this authentication method is the recent launch of Surface Pro and Windows 8 tablets, and their security capabilities. Most Windows 8 devices contain a Trusted Computing Group infrastructure, including a Trusted Platform Module (TPM). TPMs are already embedded in over 600 million devices worldwide, with that number continuing to increase.
All a user has to do is enter a PIN, or even swipe a fingerprint sensor, and the tablet, with its TPM, can log the user into all business services, including Wi-Fi, VPN and internal web networks. This means not having to remember, or forget, a password – and it’s the same one for all business services, with no need to remember separate passwords. Moreover, the data-at-rest can be protected through encryption using self-encrypting drives (SEDs) or external SEDs that are compliant with the Trusted Computing Group’s Opal standard. There is no need for Mobile Device Management, as the tablets are managed by familiar tools that work with the Microsoft infrastructure. It helps IT departments to gain more control over the BYOD trend sweeping enterprises. In a nutshell, the tablet, not the user, logs onto the network – negating the need for passwords.
Hardware-based security is key to strengthened defences, and should herald the decline of passwords. This security concept is in our Bluetooth headsets and TV cable boxes. With the latter, the device enables you to access your channels. For instance, on a mobile phone, you log in with a PIN number, allowing the device to connect you to the network. The device becomes the foundation which grants the user direct control over their data. Users control who can access the information, over the networks and devices of their choice. From an enterprise perspective, it means augmenting the existing management infrastructure they already own for security purposes.
Passwords have been the go-to security mechanism for decades, but with rapid advances in technology and attendant cyber security threats, it’s time to consider stronger authentication methods. Let’s begin by adding similarly simple but more secure mechanisms – and this should start with using in-built device security.