Looking ahead to life without passwords

Security pros know that passwords are nothing but trouble. For them, single-sign on, two-factor authentication and federated ID represent the path to stronger authentication.

Ayaaz Janmohamed and Matthew Todd manage IT operations in two very different environments, but their identity and access management challenges aren't different at all.

The urgency of people getting information is such that people put passwords on a sticky note, or several people try to share passwords on one machine, and so accountability is tossed out.
Ayaaz Janmohamed
City of Edmonton Police
Janmohamed, IT infrastructure manager for the City of Edmonton Police Service in Alberta, Canada, worries that online outlaws could access electronically stored information on suspects, victims and police officers and put everyone's safety at risk. Todd, CISO and VP of risk and technical operations for Palo Alto, Calif.-based Financial Engines Inc., worries that someone with unauthorized access could steal investors' sensitive financial data and use it for identity fraud and other crimes.

Both have invested plenty of time, money and energy to keep these scenarios from ever happening. And along the way, both have determined that passwords are nothing but trouble.

"The urgency of people getting information is such that people put passwords on a sticky note, or several people try to share passwords on one machine, and so accountability is tossed out," Janmohamed said. Plus many organizations allow employees to choose simplistic passwords that attackers can easily crack, and if an employee needs multiple passwords to access different applications, the problem is exacerbated.

Janmohamed and Todd are not alone. A majority of 358 IT professionals who took a SearchSecurity.com survey on identity and access management in April said passwords are obsolete and want to replace them with stronger methods that include two-factor authentication and single sign-on.

Respondents are also looking to replace traditional passwords with tools like tokens and smart cards.

"Whatever we can do to reduce the number of passwords will help us reduce the human impact," Todd said. "Fewer passwords mean fewer opportunities for things to go wrong."

By the numbers
The drumbeat against passwords has grown louder in recent months. Even Microsoft Chairman Bill Gates has called for their demise.

That mood is clearly reflected in the survey responses.

  • About 74% said their users must remember too many passwords, and 63% said coping with multiple password policies is a problem or a significant problem.

  • More than 56% said they're handling too many password resets.

  • 79% said their organizations are spending the same or more on password management this year.

    Spending on authentication alternatives is also steady or on the increase at many organizations.

  • Sixty-four percent said they are spending the same or more on authentication tokens.

  • Seventy-six percent are spending the same or more on digital certificates and nearly 50% say they're spending the same or more on smart cards.

  • Seventy percent are spending the same or more on enterprise single sign-on and 63% are spending the same or more on Web single sign-on.

    Spending has declined though in some areas.

  • Fewer are investing in biometrics as an alternative. Just 39% of respondents said they will spend the same or more on biometrics this year, and more than 56% said they're not spending on the technology at all.

  • There is also less spending on federated ID management, with 47% saying they're spending the same or more on federation ID management and 48% saying they're not spending at all.

    From passwords to PINs and tokens
    Janmohamed plans to move beyond his organization's current password system toward one that relies on two-factor authentication and enterprise single sign-on.

    "We hope to marry up [Microsoft] Active Directory and PKI to create a single sign-on process," he said. This way, the network won't prompt for a full username and password. Instead, he said, it will prompt each user for a PIN and token, and the token will have to be in the machine for the user to get access.

    The department will use a PKI server from Addison, Texas-based security firm Entrust Inc. for authentication.

    Access (out of) control?

    About this special report: You've heard about the need for companies to ensure that network users are who they say they are, and that employees can only access what their jobs require. In this special report, IT professionals surveyed by SearchSecurity.com share the pain points and solutions they've experienced on the way to better and more practical ID and access management.

    Special report menu:
    Day 1: When access management becomes rocket science
    Security can be a hard sell beyond the IT realm, even for security pros at NASA. But nothing motivates people like regulatory pressure and a fear of being the next data breach headline.

    Day 2: Looking ahead to life without passwords
    Security pros know that passwords are nothing but trouble. For them, single-sign on, two-factor authentication and federated ID represent the path to stronger authentication.

    Day 3: Active Directory users finding their way
    Many IT shops use Microsoft Active Directory to manage network access. Some say it's difficult, but others are using it as a key tool in successfully managing network access.

    Inside the numbers: Access (out of) control?
    In April, SearchSecurity.com surveyed 358 IT professionals from a variety of industries regarding their identity and access management programs. Here is a look at some of the questions we asked and the answers they gave.

    Until then, the police force is taking other measures to reduce the likelihood of password-inspired security problems. If there's no activity on a user's computer for 15 minutes, for example, the user must log back in so that passers by can't walk up to the machine and help themselves.

    Itching to federate
    For Financial Engines, stronger authentication is also necessary for the company's plans to share applications with business partners through federated ID management, Todd said.

    More than 40% of survey respondents said giving partners and suppliers access to their systems would enable a more efficient supply chain process. But for this to work, Todd said, companies must have total confidence that their partners are using ironclad authentication methods. In this regard, most organizations no longer trust the password system people have been using for the last 20-plus years.

    For that reason, among others, federation ID management's push toward the mainstream has been slow.

    "It's a huge challenge," Todd said. "We have data for millions of people that is sensitive. We are dealing with vast companies not used to smaller companies like us. So it's a bit of a battle getting the bigger guys to federate with a smaller company. We're a tugboat trying to steer the aircraft carrier in another direction."

    Cultural change inevitable
    While federated ID is a long-term goal, Todd outlined steps the company is already taking to strengthen authentication, which include rolling out SecureID from Bedford, Mass.-based RSA Security Inc. That may be key to getting rid of traditional passwords in the future. But there will probably be some hiccups early on.

    "If we replaced the Windows password with a SecurID PIN code, cultural challenges would be involved," he said. "It would be much stronger than passwords but there would of course be some resistance to change."

    While some might resist when change ultimately arrives, Todd said, eventually everyone would adjust to life without passwords. To get there though, department heads must be on the same page.

    "Anything you do with access control, it's all about mitigating risks to the business, so when I implement sweeping change, team leaders are involved," Todd said. "There may be early grumbles, but eventually everyone adjusts."

    Stronger authentication no longer a choice
    A move beyond traditional passwords isn't really a choice for companies anymore, especially those doing business online. In fact, financial firms are being required to have two-factor authentication by the Federal Financial Institutions Examination Council (FFIEC).

    For that reason, two-factor authentication with a single sign-on capability is priority one for Keith Gosselin, IT officer for Biddeford Savings Bank in Biddeford, Maine. It's a change he's not complaining about.

    "Passwords are simply not enough anymore," he said.

  • Read more on IT for small and medium-sized enterprises (SME)