Why security must be strong…but simple

Why security must be strong…but simple

Written By: Piyush Bhatnagar

Everyone that has logged into a virtual desktop, website or other online walled garden is familiar with authentication. That process they went through was most likely single factor authentication – logging in using something that the user knows. In this case, that something is the password.

However, single factor authentication is simple to hack and – ultimately – not very secure at all. Just guessing at a user’s password could enable access. And – considering the fact that SplashData is capable of releasing an annual list of the most commonly used passwords – guessing a user’s login information is probably not that difficult.

(And, since you’re dying to know, the most popular password in 2014 was 123456, followed closely behind by the old favorite, password.)

But today’s security threats and bad actors are more sophisticated than that and don’t have to rely entirely on luck and guesswork. Using malware, phishing schemes and other, more elaborate attacks, they’re capable of gaining access to actual passwords and the accounts and information they protect.

And this is a big problem since most users don’t have unique passwords for each of the different logins they face on a daily basis. In fact, the average person only has five different passwords for the more than 25 different websites they frequent that require logins. That means getting one password could enable a bad actor to gain access to 20 percent – or more – of a user’s online accounts.

To help combat this, enterprises have turned to multifactor authentication that effectively adds another layer to the authentication process. One of the most popular is possession – when a physical item, such as a card or fob, in possession of the user entitles them to access. This is a form of multifactor authentication that has been in use for decades.

However, even possession isn’t completely secure. Bad actors can steal or replicate the authenticating item, get the information they need from it by masquerading as the authenticator or even gain access following authentication.

In the face of an increasingly sophisticated, populated and active threat landscape, security vendors have worked to make advancements in multifactor authentication to make it stronger and more secure. One of these latest advancements is inherence, which can include fingerprint scanning, iris scanning or voice recognition.

Each time an authentication advancement is made, another layer or factor is usually added to the process. And although that makes things more secure, it doesn’t necessarily make them better.

Adding authentication factors – such as inherence – and making authentication stronger ultimately takes users away from their normal, “user story.” By adding steps and making authentication more complex, the process becomes more convoluted, difficult and bothersome to the user. In many cases, this leads to companies and their processes getting downright rejected by consumers who want things simple and easy to use.

This is even true in the enterprise environment. Although IT decision makers may put policies and authentication processes in place that require users to follow numerous steps, these users will ultimately find other ways to access applications and information that they’re looking for. This can even lead to employees storing company data in places – like Google Drives – where companies don’t want them and where they’re not secure since the employee most likely used one of their five different passwords.

If authentication policies are put in place, but circumnavigated, they’re not really increasing security. In fact, they’re most likely decreasing it. It’s for this very reason that Forrester includes “usability” as one of the factors in their detailed authentication solution overview.

Security and authentication processes that take end users out of their comfort zone, away from their day-to-day and make them spend too much time and energy will ultimately not make any person or enterprise more secure. These processes and solutions need to combine multifactor authentication, strong security and ease of use if they’re going to truly protect anyone.


About the Author

Piyush BhatnagarPiyush is the Chief Technology Officer and Founder at Authomate. Piyush founded the company in 2012 to simplify online security and bring strong authentication to every aspect of life without any added complexity. His responsibilities as CTO include leading innovation, developing product vision and product development. Piyush is a seasoned technology executive, entrepreneur and consultant with experience in technology development and management. During his 25 year career prior to starting Authomate, he worked for defense, information technology, and network security companies, where he built an extensive resume managing global software teams and executing product strategy.

View all posts by Piyush Bhatnagar


  1. The evolution of the mobile device - from cell phone to center of our lives - Access Granted
    The evolution of the mobile device - from cell phone to center of our lives - Access Granted3 years ago

    […] This process can be simple, hassle-free and require very few steps. This is important because, as we’ve discussed in a previous post, one of the essential elements in effective security and authentication is ease of […]

  2. Strong security not enough to battle insider threat - Access Granted
    Strong security not enough to battle insider threat - Access Granted3 years ago

    […] As my associate, Piyush, discussed in a previous post, the average American has pretty terrible cyber hygiene. They reuse passwords. They use weak passwords. They even email themselves their passwords. Just one account getting compromised can lead to multiple personal (and even some professional) accounts or profiles being compromised. And if one of those accounts contains sensitive company data that they stored or sent to themselves, that data is now also compromised. […]

  3. Starbucks breach shows that all accounts can be targets - Access Granted
    Starbucks breach shows that all accounts can be targets - Access Granted3 years ago

    […] is exactly the type of scenario that we discussed previously on Access Granted. End users have a tendency to re-use their passwords since it’s simply easier to remember one set […]

  4. Broken “keychain” shows futility of single-factor authentication - Access Granted
    Broken “keychain” shows futility of single-factor authentication - Access Granted3 years ago

    […] As we’ve discussed in previous posts, good cyber hygiene still eludes a majority of users. Within the enterprise, strong passwords are often eschewed for ones that are easy to remember. And organizations that require strong passwords ultimately succeed as their end users choose one, difficult password and use it across all of their accounts – or that they just add a few extra characters to an easy to remember password and use this repeatedly for other things internal and external to their company. […]

Leave a Reply