This last week, I moderated a panel for Intel’s Business Launch of its new Skylake processor. One of the big components of this launch is dual-factor authentication, using a secure hardware-based method to ensure the user’s identity isn’t compromised and can be assured. On the panel we had Eli Lilly, Cerner, Verizon and Booz Allen, who blessed this approach; Verizon’s security study indicated that just by better assuring the user’s identity, up to 50 percent of a firm’s existing security exposure could be mitigated. But, in the post-announcement discussion, there was real concern that most of the firms buying this technology might not implement it.
Let’s revisit passwords in the context of the Skylake for Business launch.
Passwords Aren’t Secure
The conclusion of a massive study that IBM did in the 1980s, yes the 1980s, was that passwords aren’t secure. This was long before the Internet was created, before we had malware that could spread electronically (it moved via something we called “sneaker net” and very slowly), and most information was still mostly on paper.
However, even back then, it was incredibly easy to guess passwords, and get people to give them to you, and thus gain access to what was then mostly mainframe computers. In IBM, we determined that it didn’t matter how much security we wrapped a system with; if someone could be tricked into giving up their password, an unauthorized person could gain access.
The employee was the weakest link, and we found that even if you trained employees, you could still likely find one if you looked hard enough who could be tricked into giving up their password.
The U.S. military, according to one of the folks on my panel, has become so frustrated with folks who are getting compromised that they have made the penalty for some employee mistakes the same as if they fire a gun in an unauthorized fashion. It is a court martial offense. Even then, it has only cut the exposure by 50 percent. Let’s be clear: If you are compromised as a result of opening a bad email or giving up your password, you not only lose your job, but you could end up in jail, your entire up-line gets in trouble, and you become instantly infamous. It is pretty much a life-ending mistake and still it only cut the exposure by half.
This showcases how bad a practice single-factor authentication is, particularly if that single factor is a password and ID.
Skylake for Business
What the Skylake for Business solution does is create a biometric lock tied to a hardware component, which assures that the employee is the employee and that they can’t provide one of the factors even if they want to, because it is locked in hardware. Even if they give their PIN to someone else, that person can’t use it unless they also have the employee present at the same PC. The PC becomes part of the authentication process and because this is locked-in hardware and because the PIN is input on the screen in a fashion that blocks screen scrapers, key loggers and scrapers aren’t effective.
Someone could still observe the input of the PIN, but they would have to be present or have a camera focused on the user’s screen, and even with the PIN, they can’t get in unless they can also bypass the biometric lock. You could potentially go further and make the PC itself or the employee’s smartphone be a third factor, reducing the possibility of compromise to insignificant levels, particularly at scale.
According to the folks on my panel, if you simply put in place a user login that was robust, like the one Intel was showcasing, you could reduce the entire organization’s security exposure by 50 percent.
Wrapping Up: Implementation of the Solution
So we have known for decades that passwords aren’t secure. We now have a standard technology supported by both Intel and Microsoft that could reduce the entire organization’s exposure by around 50 percent, and yet, much like it was for the draconian measures the military put in place to prevent penetration, people may not implement the solution even though they will certainly buy the hardware. At least that was the concern raised at the Intel event, with the belief, based on past experience, that this would only change after a Target or Sony-like breach, where top executives lost their jobs.
I just don’t get this. Why does a CEO have to get fired before a technology that the firm is buying anyway is implemented properly? Trust me when I say that getting a CEO fired as a result of not implementing a security technology that you have already purchased is not a good personal plan for advancement if you are in IT. But then neither is being court marshaled. Yet…
So, a piece of advice. If you are deploying Skylake for Business, turn on and require the included authentication technology. Don’t be the cause of your CEO’s fall. This should be obvious. I find it incredibly sad that apparently it isn’t.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+