“The writing’s on the wall for single-factor,
password-based authentication on anything Internet-facing.”
-Verizon 2014 Data Breach Investigations Report (DBIR)
Data breaches related to usernames and passwords seem to be happening almost daily — passwords are obviously no longer an effective method to protect data. In fact, exploiting weak identity credentials is one of the most common elements of most attacks. Even attacks that seem unrelated to users, such as recent POS attacks at well-known retailers, can be traced to insecure passwords. To quote, again, from the Verizon DBIR:
“[This] lead[s] us to our second common scenario: the use of stolen vendor credentials. In one case the credentials stolen belonged to a point-of-sale vendor and were compromised via Zeus malware infecting the vendor’s systems. The big problem among these was that the same password was used for all organizations managed by the vendor. Once it was stolen, it essentially became a default password and the attackers also gained knowledge of the customer base.”
One of the main challenges with passwords is that the methods used to compromise them are continually evolving, while the core defensive strength and tactics used to secure them remain the same. Best practice policies emphasize using longer passwords to counter the effectiveness of brute force attacks — forcing users to write them down or store them in even less secure places. The other impact of longer and more complex passwords are the increasing costs of the growing number of help desk calls attributed to forgotten passwords. While passwords are always cheap in the beginning, in the long term, the significant risks of a data breach make them an expensive proposition with diminishing returns.
“Due to improved tools and computing power, cracking passwords that were once considered reasonably long and dynamic is no longer as challenging as it used to be. Many of the recent newsworthy breaches are demonstrating a shift toward methods that don’t even rely on hacking at all.” Terry Gold, IDAnalyst
As the world transforms itself to consolidate toward a digital infrastructure — connecting applications, devices, and people — it is no longer acceptable to CISOs, CSOs, and information and corporate security professionals to invest in legacy systems that can’t provide the resistance to attacks that is reasonably required while enabling them to achieve compliance mandates and protect trade secrets. Even roles outside of traditional IT are affected, as evidenced by the departure of the Target CEO after a security breach that affected 40 million customers.
The truth is that passwords are well beyond their use-by date and we are entering the “Post-Password Era” — we cannot continue to accept the continual breaches and corresponding business impact. The only rational answer is to move to a universal, standards-based system involving more than a password. Multi-factor authentication significantly strengthens the authentication process because it removes the password and eliminates many pervasive methods attackers commonly and successfully execute.
The U.S. government has implemented a standard known as FIPS 201 that mandates strong two-factor authentication for both buildings and information/network access. Users have a single strong credential known as a Personal Identity Verification (PIV) card — essentially, a smart card. These cards contain credentials known as digital certificates, generated from a Public Key Infrastructure (PKI) system — a standard that has existed for over 20 years and is used to secure millions of objects today from computers and networks to passports and mobile devices.
From a security standpoint, PKI completely removes the password on both the endpoint and the back-end, leaving an attacker with no passwords to attack. In fact, PKI and digital certificates are used in every browser to secure the connections — when you see “https:” or a padlock icon to indicate secure.
Strong authentication with a digital certificate can be used anywhere across the entire enterprise ecosystem, where and when employees need it — computers, networks, mobile devices, and even doors for facility access. Certificates can be stored and used in a number of different ways — being placed on a physical access card is just one example, and is common to converge premises and information access. But let’s face it, physical cards don’t make sense for several use cases, such as securing mobile devices, which is why certificates can be used on these devices as a secure download or “soft certificate”.
Once you are using a certificate on a device, there are many things that can be done beyond securing the initial login/authentication. Since certificates are multi-use, users can encrypt or digitally sign protected emails and documents, encrypt hard drives, and can even use them for new initiatives, such as signing prescriptions.
Digital certificates can also be placed in any device or even stored in contactless tags (such as NFC). A product owner can use digital certificates to protect products and devices, e.g., a POS terminal, smart water meter, home automation system, a video camera, or even something as basic as a connected water pump.
Every organization should be embracing the post-password era, and the good news is that it’s relatively easy to get up-and-running with a pilot, because PKI and digital certificates are standards — nearly all operating systems and cloud/applications software support their use. There are even companies that deploy PKI as a turnkey cloud service, so you can get up-and-running even quicker. Of course, Identiv is one of those companies and we’d love to help you on your journey to the post-password era.