Earlier this week, I wrote about a panel discussion at the RSA Conference in San Francisco on security. In upcoming days, I will have a lot more to share about my experiences at the conference, but today, I want to go a little deeper into that panel discussion.
To refresh your memory, the panel, which included Nok Nok’s CEO Philip Dunkelberger; Jon Oltsik, a security analyst at Enterprise Strategy Group; Rhonda MacLean, a former CISO with a number of companies including Bank of America and Boeing; and Giles Watkins, a partner in the cybersecurity practice at KPMG, discussed why businesses struggle to improve their response to security.
The panel and the audience also spent a good deal of time discussing the password dilemma.
By now, most people know that passwords alone aren’t the greatest solution to protecting data. I could go on about the problems, but I’m sure you are familiar with most of them already: Users don’t make passwords strong enough, users repeat them across different applications, they are rarely changed, companies don’t do a good job at encrypting or protecting passwords, and so on and so forth. We know that there are theoretically better options out there, like biometrics or multi-factor authentication, and more companies are allowing for an opt-in to better authentication models on their applications. The problem is that we, both users and companies, keep defaulting to the same old username/password option.
Why?
Because it is what we know, and what we are comfortable with. In some ways, we are convinced that passwords still offer the best protection. But perhaps most of all, it is because usernames and passwords – even when you have to remember 50 different ones – are less cumbersome than other authentication options.
Passwords were a topic at a number of other sessions I attended and in some one-on-one conversations, so obviously it is a topic on a lot of peoples’ minds. The origin of passwords was discussed a couple of times: Was it a means to protect data? Not originally; instead it was a way a user could be tracked when working on a particular project or with certain data. The security authentication purpose came much later. When companies and websites began to require passwords for authentication purposes, again, it was as much for authentication as anything – the security was in proving that you are who you say you are.
And there are still a lot of positives about passwords, as Morey Haber, vice president of technology with BeyondTrust, told me during a conversation over breakfast. We were talking about the security changes and improvements (and some concerns) in the upcoming release of Windows 10. While we don’t know for sure which security elements will be baked into the OS, expect to see something beyond the simple username and password combo offered. On one hand, that’s great. On the other hand, Haber said, it raises some concerns. Two-factor authentication that uses a text message or phone call, in addition to a password, assumes that every user has a cell phone (this will probably be an opt-in option, however). And biometrics can be manipulated. The problem there, Haber said, is that when biometrics like facial recognition are messed with, you can’t go in and fix or change anything to create new security like you can with a password.
As the panel pointed out, expect passwords to stick around for a while. Customers expect them and know how to use them. Businesses are comfortable with them and can easily create options that don’t require much extra work for the user (e.g., my bank uses a special picture and phrase that I created that comes up when I type in my information. If I don’t see that, there’s a problem. But I also don’t have to do anything extra; it’s a seamless part of the login process).
At this point, I don’t see IT totally eliminating passwords from our security options. As mentioned by the panel, there are three billion people in the world who have never heard of usernames and passwords – and let’s keep it that way!
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba.