That’s the conventional wisdom, at least, but it’s a myth. Despite a flurry of new regulations, user names and passwords still rule the enterprise. Tokens and one-time-password generators are making inroads, but it’s slow, plodding progress.
We all know that user names and passwords offer horrible security. They enable phishing. They are easily guessed. They can be cracked by simple brute-force attacks. And they are essentially the gateway to larger security breaches, such as intellectual property theft, corporate espionage and identity theft.
So, why are they still so prevalent?
A few reasons. The first is cost. Multifactor authentication is expensive. The initial outlays for tokens, password generators, biometrics and even authentication servers are high, while ongoing support costs often outstrip the already high help-desk costs for retrieving and resetting passwords.
Second, user names and passwords are convenient. Yes, users forget them. Yes, people have far too many and get them confused. Yes, user names and passwords encourage poor security practices, like writing them down or keeping an easily hacked Word file titled “passwords.” Yet, they are simple and easy.
Finally, they’re portable. It’s not a good security practice, but if you have a strong password that you’ll remember, you can use it across applications, with a number of service providers and on different channels. You shouldn’t, but let’s face it: most of us do.
And that’s why authentication should be on top of the list of our security concerns, not at the bottom.
Not convinced? Here are five more reasons why 2009 should be the year your organization fixes authentication:
1.) User names and passwords are everywhere.
This is a classic good-news, bad-news scenario. The good news is that not all user-name, password logins are made equal. At online banking sites, for instance, the fact that most users login they way they always have obscures the fact that other authentication is happening behind the scenes. Devices themselves are authenticated and technologies like geolocation and transaction monitoring significantly raise the security bar.
That’s in banking. Elsewhere the picture is less rosy.
“The adoption of multifactor authentication has been frustratingly slow,” said Paul Barret, CEO of Passfaces Passfaces, a startup that provides multifactor authentication solutions based on humans’ innate ability to recognize faces. “The only real adoption is in the financial sector. The fact is that 99% of authentication is still done with passwords alone.”
Despite all the talk of tokens and biometrics, multifactor authentication is still rare. Even in the enterprise, where many believe that strong authentication is the norm, adoption has been slow, mostly due to cost and support issues.
“We estimate that no more than 10% of the enterprise has adopted strong authentication,” said Neil Hollister, CEO of CRYPTOCard CRYPTOCard, a provider of authentication solutions.
With the business sector slow to move, is it any surprise that as consumers almost all of our online transactions are accomplished via user names and passwords alone? Sure, most transactions are low risk, but even low-risk activities can open the door to identity theft.
2.) Phishing hasn’t gone away.
This isn’t a scientific sample, but I probably get a half dozen to a dozen phishing junk mails a day, minimum. Granted, my email address is published widely, so I get more spam in general than most, but there are still an alarming number of phishing attempts in my junk box each day.
A flurry of new emails is linked to the financial crisis. The social engineering trick this time around is to capitalize on the fear caused by the bad economy and failing banks. “Are you worried about your accounts? Click here to verify your account details and ensure that your funds are safe.”
People don’t think clearly during a panic situation, and many have clicked through and entered their account details.
“Phishing may have fallen off the radar, but it’s still there,” Barret said, “It’s like spam; even if you get only one response in a million, your efforts pay off.”
According to Cisco’s 2008 Annual Security Report , attackers are moving away from shotgun-style phishing to targeted fishing, also called spear phishing.
For instance, instead of sending phishing emails that mimic large banks, attackers use smaller regional banks and include local details, like naming the bank manager, to make them seem authentic. Or they send out emails appearing to be from alumni associations requesting updated information, from the IRS saying you’re about to be audited, or from the Better Business Bureau asking business owners to respond to a complaint.
A high-profile spear fishing campaign was the CEO subpoena attack of earlier this year. Phishers sent emails to senior executives at a number of U.S. companies telling them that they’d been subpoenaed for a federal court case. Victims were directed to a website that looked like the California federal court page, where they were told they needed to download a plug-in to view the subpoena. The plug-in, of course, was actually malware.
According to VeriSign, about 2,000 executives fell for the scam.
3.) The adoption of multifactor authentication is slow and disorganized.
While multifactor authentication wouldn’t have completely protected the executives who fell for the subpoena attack, it would have limited the scammers’ access to sensitive systems and applications.
The problem is that the deployment of multifactor authentication, even in the financial sector, is completely disorganized. Most online banking security considers details of your computer as an additional authentication factor, tracking things like your IP address and browser and software settings. If those aren’t recognized, you’ll face challenge questions. An attacker could spend five minutes on a Facebook page, however, and figure out answers to most of these questions.
Will they go to this trouble? Probably not, but only because they don’t yet have to.
Within the broader enterprise market, adoption is painfully slow, and it’s mostly token-based. End users balk at tokens, though, because they’re easily lost or forgotten. There are a few promising trends, however. Tokens are moving from hardware to software, and the idea is spreading that they should be embedded in things people carry already.
Expect to see SMS tokens sent to mobile phones, and your future ATM cards should have built-in one-time password generators.
4.) Attackers are targeting the SMB market.
Tough economic times usually spur the rise of small businesses. Smart people get laid off, they don’t like having their destiny in someone else’s hands, and they start working for themselves.
That’s all well and good except from a security standpoint. Phishing attempts have been increasingly targeting smaller businesses, and if multifactor authentication is too expensive and hard to administer for many large organizations, it’s a complete non-starter for small- and mid-sized businesses.
“Mid-sized businesses don’t have 24-hour help desks,” Hollister said. “Often, they don’t even have 9-5 support. Yet, they’re doing more and more business online and they’re often conducting business with people or organizations overseas.”
They need better authentication, but the typical business-class solution, tokens, is too expensive and requires too much administration for the SMB market.
“You must remove the hardware barrier in order for SMBs to buy into strong authentication,” Hollister said. Managed strong authentication services are one answer, as are soft tokens and alternative solutions like cognitive-authentication, which relies on memories or, in the case of Passfaces, your ability to remember and recognize faces. These solutions don’t require big capital expenditures for hardware and they drastically reduce help desk calls.
5.) Trends like cloud computing will put more information at risk.
Cloud computing promises to be one of the battlefields where technology titans like Microsoft and Google will compete. It also promises to be a gigantic security risk.
“The biggest problem with cloud computing is identity management,” Hollister said. “Once an attacker has used false credentials to get into a network, that person is then considered a trusted user. Any hacker worth his salt can then get through the rest of the network’s defenses in several minutes. In cloud computing, the weakest link is the identity of the dumbest user.”
Every security pro knows that users are the weakest link in any security chain, but with more and more information moving offsite and to the Internet, those weak-link users pose a much bigger risk.
Meanwhile, many applications will become services – as many already have – and that shift triggers another set of security concerns. “Any online service must worry about account sharing,” said Matthew Shanahan, Senior VP of Marketing and Strategy for AdmitOne Security AdmitOne Security, a provider of risk-based authentication systems. “Look around the web, The Wall Street Journal, analyst firms, even games like World of Warcraft, all of them are losing money because of account sharing. The business information subscription market alone generates about $111 billion in revenue each year. Fraud through account sharing reduces those revenues by 10-20%.”
Why is it so easy to share account data? Because most services rely on bare-bones authentication. Stronger authentication – be it a token, a one-time password generator, a biometric factor or even challenge questions – would lessen that problem.
And wouldn’t that 10-20% in lost revenues be better spent on better security than just writing it off to fraud? That’s a question every industry should ask itself, and up until now it’s only the financial sector (with the government following slowly) that has answered yes, and that yes only came reluctantly and with the prompting of regulations.
“I don’t remember where I heard this, but it’s telling,” Hollister said. “IT fraud is more lucrative than smuggling, and there’s no death penalty. That should tell you all you need to know about whether or not IT fraud will get worse in the future.”