Authentication is the front door of security for an enterprise. If a thief can break the lock or you leave the door ajar or the guard on duty is asleep, you’ve got problems. Authentication, authorization, and access control have long been understood as the foundation for building any good security architecture, and while they always work together and should be implemented as such in enterprise environments, a strong front door is your first deterrent against infiltration to prevent the exfiltration of your company secrets.
Passwords used to be the standard approach for locking and unlocking your corporate front door, but passwords have problems that are not easily circumvented. Password managers can help in this regard, but even these can have their own kinds of problems. Biometric authentication is another approach that is rapidly gaining popularity as an alternative to passwords. But simply replacing passwords with biometric technologies may create other kinds of problems. Hence multifactor authentication (MFA) is now on everyone’s lips and mind as the magic bullet for keeping your front door secure.
But is it? Where is all this headed? How will enterprises of the future ensure the security and integrity of the front doors for their applications, services, databases? And since the future is always here today, at least incipient, new emerging security technologies are needed now to ensure doors stay locked and bad guys are kept out. Kevin Freiburger, director of identity solutions at Valid, a global technology provider that provides identity solutions for business, government, and consumers. I recently sat down with Kevin asked him for his take on this topic so I could share his very level-headed insights and recommendations with our readers. I’ve reproduced portions of my conversation with him below, edited in interview form to make it easier to digest.
MITCH: Multifactor authentication seems to be all the rage these days for enterprises wanting to secure their resources. Why is that, and what’s wrong with simply using passwords to protect stuff?
KEVIN: Passwords have inherent problems. Typically, users choose passwords that are short to type and easy to remember. These short and easy passwords invite brute force attacks by cybercriminals. Users will also often write passwords on paper or other materials instead of committing it to memory. Just the other day, for example, I walked through a doctor’s office and saw a sticky note attached to a monitor with a password written on it. That’s inviting someone to sit at that PC and impersonate you!
MITCH: But don’t password managers — either software you install or a cloud service you use — solve the “sticky notes on your monitor” problem associated with having users rely on passwords? Are there any limitations or cons associated with using password managers?
Yes, password managers can definitely mitigate that problem. There are a few considerations though:
- Not all enterprise IT departments have approved those solutions.
- Even with a password manager, that is still only one factor. It’s better when paired with multifactor.
- The password manager itself creates another attack vector. Some of these vendors have announced breaches previously.
- The password manager still utilizes a master “key”/password. Users may also sticky note the master password. You can follow that rabbit hole a long way down!
I’m not anti-password manager. I actually use one in my personal life and we have an enterprise solution as well. However, it doesn’t solve all the password challenges in existence.
MITCH: Some providers in the enterprise security space have been offering customers so-called “passwordless authentication” solutions. Can you describe some of the ways such solutions are implemented?
The traditional view of identity authentication contemplates three factors:
- Something you know — like passwords.
- Something you are — like biometrics (facial recognition, fingerprint matching).
- Something you have — like a hardware token or authentication device.
Enterprises are expanding beyond passwords, which is the “something you know” factor and forcing users to authenticate using multiple factors. These solutions often deploy a couple of techniques that you might already know. The first uses biometrics which falls in the “something you are” factor. This can be facial recognition, iris matching, or fingerprint matching. If you’ve unlocked your phone with your face or finger as a consumer, you are using biometrics as a form of authentication. Enterprises are doing the same: You see the Windows Hello (uses the PC’s camera) facial recognition logging the user into the enterprise’s domain with Active Directory. Biometrics is a better UI/UX than a password because it’s faster and easier to use than a password and it’s more secure than a sticky note on a monitor.
The other solution you’ll often see is a hardware-based authentication token or device which is the ‘something you have’ which a user must carry. These are a bit more cumbersome to use but provide additional security over simply passwords. There are many manufacturers of these devices like Yubico and Samsung. These manufacturers follow the FIDO2 standard for passwordless authentication. FIDO is a standard that many of the largest companies on earth participate and contribute to create interoperable authentication. Another solution for this factor might involve authenticator apps from Google or Microsoft. These apps don’t require special hardware and can be loaded onto phones people already must carry within the enterprise.
MITCH: Where do you think enterprise security is heading in the future? Gaze into your crystal ball on our behalf, if you will.
I believe you’ll see enterprises double-down on biometrics. The user experience is seamless and fast which increases worker productivity and lowers overhead placed on the enterprise IT department. Normally if you go for seamless and fast, you trade away higher security. But that isn’t the case with biometrics. You get the best of both worlds. It’s a very secure scheme to protect enterprise resources.
Additionally, quantum computing will arrive relatively soon. Compute power will exponentially increase, and that presents challenges for enterprises to protect passwords, tokens, and encryption keys/algorithms. Compute-intensive problems (like cracking certain encryption) might take a classical computer hundreds of millions or billions of years while a quantum computer might solve that same problem instantaneously. You’ll see the enterprise and security markets move to savvier forms of encryption and protection.
Lastly, enterprises will increase employee cybersecurity training. Every employee must be aware of social engineering tactics often deployed by cybercriminals. As enterprise systems are hardened, the rate and sophistication of social engineering attacks will increase. Hackers will develop more and more clever schemes to fool employees to unknowingly turn over sensitive data.
MITCH: Any final thoughts on this subject?
KEVIN: Valid is a provider of biometric systems. However, that doesn’t skew our view of the world. Biometric systems are fine and provide tremendous value, but it might not be the best solution for your enterprise. Other options exist for small and medium-sized businesses (SMBs) and enterprises such as hardware devices and authenticator apps.
The cybersecurity landscape changes almost daily and your “solution” is never “done.” Hackers constantly leverage new attack vectors and social engineering techniques. Not all SMBs and enterprises and government entities are equipped with security resources and budgets to fully handle these threats and vulnerabilities. However, you can start improving your security posture immediately:
- Harden the systems you can with multifactor authentication.
- Encrypt data at rest and in transit.
- Start budgeting (or increase it) to better plan and staff your resources to fight cybersecurity threats.
- Create plans and processes related to cybersecurity threats, data loss/prevention, data handling, and security, breach monitoring and alerting and handling, and more.
Some of these enterprise authentication measures will pay immediate dividends without adding too much cost while you create a more end-to-end plan.
Featured image: Shutterstock