You can’t throw a digital rock in the IT security blog space without hitting an article concerning the risks and consequences related to password compromise. This attention is well-placed given the numerous high profile cases of data theft and reputational losses that can be traced back to either weak or stolen passwords.
The recognition of the inherent risk in any single-factor authentication method is not new. In 2001, the US Federal Financial Institutions Examination Council (FFIEC) issued guidance on authentication in the electronic banking environment, identified the risks and controls, and concluded that, “single factor authentication alone may not be commercially reasonable or adequate for high risk applications and transactions. “This reality has generated a wider call to move beyond authentication, security’s reliance on passwords, and their ever-increasing complexity and rotation.
When employed as a single-factor to verify identity and grant access to critical enterprise resources, the overwhelming conclusion is that the password is simply not good enough. The FFIEC went further to advocate the use of multi-factor authentication (MFA) where two or more of the three basic factors are used in combination.
• Something the user knows (e.g., password, PIN)
• Something the user possesses (e.g., ATM card, smart card)
• Something the user is (e.g., biometric characteristic, such as a fingerprint or retinal pattern).
So it begs the question: if the risks, consequences, and potential solutions have been known for 15+ years, why has there not been wider adoption and usage of MFA? Well, the answer lies in the fact that the implementation of additional authentication control methods in the IT Security environment must take into account many considerations, not the least of which is user experience, cost, and convenience. Early MFA solutions that incorporated smart cards, biometric scanners, and hardware tokens, in addition to knowledge authentication, made significant strides in elevating the security of user authentication. However, the relative complexity and inconvenience of these MFA solutions hampered widespread adoption in the enterprise marketplace.
This experience, together with the relatively high lifecycle management costs of the solutions, limited the scope of usage to environments requiring higher-end authentication security. So what has changed in this intervening period through to today’s reality of enterprise environments and authentication challenges? Two things: the first of which is the acceptance of the high risk inherent in single-factor authentication and the corresponding potential for significant data and reputational losses. The second is the ubiquity of the mobile smart device. Each of us now carry a mobile device that has tremendous capability to behave as a security token. Not only is there exceptional computing capacity, but perhaps even more importantly, we as users are now completely comfortable with employing these devices for a myriad of daily common routines. It is only natural that we now look to use these devices as part of an enterprise MFA strategy.
These advances in mobile products and standards means that the new reality of enterprise user authentication strikes a better balance between security and convenience. End users have more flexible authentication choices where the enterprise can now leverage the significant capabilities of mobile authentication with three true factors. Coming full circle then, it is unlikely that the password will completely go away. However, it is equally unlikely that it will continue to exist in the familiar form as we know it today.
What we can expect to see is that the password will play a role as a one-time-use or rotating knowledge-based authentication component of the mobile MFA model. When employed wisely in an MFA structure, the password can
still prove to be a valuable authentication factor. For more information on how MFA with Mobile Reset can change your business, request a demo.