Thats the conventional wisdom, at least, but its a myth. Despite a flurry of new regulations, user names and passwords still rule the enterprise. Tokens and one-time-password generators are making inroads, but its slow, plodding progress.
We all know that user names and passwords offer horrible security. They enable phishing. They are easily guessed. They can be cracked by simple brute-force attacks. And they are essentially the gateway to larger security breaches, such as intellectual property theft, corporate espionage and identity theft.
So, why are they still so prevalent?
A few reasons. The first is cost. Multifactor authentication is expensive. The initial outlays for tokens, password generators, biometrics and even authentication servers are high, while ongoing support costs often outstrip the already high help-desk costs for retrieving and resetting passwords.
Second, user names and passwords are convenient. Yes, users forget them. Yes, people have far too many and get them confused. Yes, user names and passwords encourage poor security practices, like writing them down or keeping an easily hacked Word file titled passwords. Yet, they are simple and easy.
Finally, theyre portable. Its not a good security practice, but if you have a strong password that youll remember, you can use it across applications, with a number of service providers and on different channels. You shouldnt, but lets face it: most of us do.
And thats why authentication should be on top of the list of our security concerns, not at the bottom.
Not convinced? Here are five more reasons why 2009 should be the year your organization fixes authentication:
1.) User names and passwords are everywhere.
This is a classic good-news, bad-news scenario. The good news is that not all user-name, password logins are made equal. At online banking sites, for instance, the fact that most users login they way they always have obscures the fact that other authentication is happening behind the scenes. Devices themselves are authenticated and technologies like geolocation and transaction monitoring significantly raise the security bar.
Thats in banking. Elsewhere the picture is less rosy.
The adoption of multifactor authentication has been frustratingly slow, said Paul Barret, CEO of Passfaces Passfaces, a startup that provides multifactor authentication solutions based on humans innate ability to recognize faces. The only real adoption is in the financial sector. The fact is that 99% of authentication is still done with passwords alone.
Despite all the talk of tokens and biometrics, multifactor authentication is still rare. Even in the enterprise, where many believe that strong authentication is the norm, adoption has been slow, mostly due to cost and support issues.
We estimate that no more than 10% of the enterprise has adopted strong authentication, said Neil Hollister, CEO of CRYPTOCard CRYPTOCard, a provider of authentication solutions.
With the business sector slow to move, is it any surprise that as consumers almost all of our online transactions are accomplished via user names and passwords alone? Sure, most transactions are low risk, but even low-risk activities can open the door to identity theft.
2.) Phishing hasnt gone away.
This isnt a scientific sample, but I probably get a half dozen to a dozen phishing junk mails a day, minimum. Granted, my email address is published widely, so I get more spam in general than most, but there are still an alarming number of phishing attempts in my junk box each day.
A flurry of new emails is linked to the financial crisis. The social engineering trick this time around is to capitalize on the fear caused by the bad economy and failing banks. Are you worried about your accounts? Click here to verify your account details and ensure that your funds are safe.
People dont think clearly during a panic situation, and many have clicked through and entered their account details.
Phishing may have fallen off the radar, but its still there, Barret said, Its like spam; even if you get only one response in a million, your efforts pay off.
According to Ciscos 2008 Annual Security Report , attackers are moving away from shotgun-style phishing to targeted fishing, also called spear phishing.
For instance, instead of sending phishing emails that mimic large banks, attackers use smaller regional banks and include local details, like naming the bank manager, to make them seem authentic. Or they send out emails appearing to be from alumni associations requesting updated information, from the IRS saying youre about to be audited, or from the Better Business Bureau asking business owners to respond to a complaint.
A high-profile spear fishing campaign was the CEO subpoena attack of earlier this year. Phishers sent emails to senior executives at a number of U.S. companies telling them that theyd been subpoenaed for a federal court case. Victims were directed to a website that looked like the California federal court page, where they were told they needed to download a plug-in to view the subpoena. The plug-in, of course, was actually malware.
According to VeriSign, about 2,000 executives fell for the scam.