Why security must be strong…but simple
Everyone that has logged into a virtual desktop, website or other online walled garden is familiar with authentication. That process they went through was most likely single factor authentication – logging in using something that the user knows. In this case, that something is the password.
However, single factor authentication is simple to hack and – ultimately – not very secure at all. Just guessing at a user’s password could enable access. And – considering the fact that SplashData is capable of releasing an annual list of the most commonly used passwords – guessing a user’s login information is probably not that difficult.
(And, since you’re dying to know, the most popular password in 2014 was 123456, followed closely behind by the old favorite, password.)
But today’s security threats and bad actors are more sophisticated than that and don’t have to rely entirely on luck and guesswork. Using malware, phishing schemes and other, more elaborate attacks, they’re capable of gaining access to actual passwords and the accounts and information they protect.
And this is a big problem since most users don’t have unique passwords for each of the different logins they face on a daily basis. In fact, the average person only has five different passwords for the more than 25 different websites they frequent that require logins. That means getting one password could enable a bad actor to gain access to 20 percent – or more – of a user’s online accounts.
To help combat this, enterprises have turned to multifactor authentication that effectively adds another layer to the authentication process. One of the most popular is possession – when a physical item, such as a card or fob, in possession of the user entitles them to access. This is a form of multifactor authentication that has been in use for decades.
However, even possession isn’t completely secure. Bad actors can steal or replicate the authenticating item, get the information they need from it by masquerading as the authenticator or even gain access following authentication.
In the face of an increasingly sophisticated, populated and active threat landscape, security vendors have worked to make advancements in multifactor authentication to make it stronger and more secure. One of these latest advancements is inherence, which can include fingerprint scanning, iris scanning or voice recognition.
Each time an authentication advancement is made, another layer or factor is usually added to the process. And although that makes things more secure, it doesn’t necessarily make them better.
Adding authentication factors – such as inherence – and making authentication stronger ultimately takes users away from their normal, “user story.” By adding steps and making authentication more complex, the process becomes more convoluted, difficult and bothersome to the user. In many cases, this leads to companies and their processes getting downright rejected by consumers who want things simple and easy to use.
This is even true in the enterprise environment. Although IT decision makers may put policies and authentication processes in place that require users to follow numerous steps, these users will ultimately find other ways to access applications and information that they’re looking for. This can even lead to employees storing company data in places – like Google Drives – where companies don’t want them and where they’re not secure since the employee most likely used one of their five different passwords.
If authentication policies are put in place, but circumnavigated, they’re not really increasing security. In fact, they’re most likely decreasing it. It’s for this very reason that Forrester includes “usability” as one of the factors in their detailed authentication solution overview.
Security and authentication processes that take end users out of their comfort zone, away from their day-to-day and make them spend too much time and energy will ultimately not make any person or enterprise more secure. These processes and solutions need to combine multifactor authentication, strong security and ease of use if they’re going to truly protect anyone.