<img src="https://ws.zoominfo.com/pixel/Np52uyz9J1Drr8qrlKUF" width="1" height="1" style="display: none;">

Passwords as Security is Dead. What's next in MFA?

TBC

Published On - March 09, 2023

TBC Data Backup and Recovery, Cybersecurity, Most Popular

Passwords as Security is Dead. Whats next in MFA

Why are passwords no longer sufficient to secure user accounts? Because users tend to repeat passwords across accounts, choose easy-to-guess passwords, and even share passwords to get work done faster. And some people still insist on using passwords like "123456," "password," or "1234567890". Those take hackers less than one second to crack. The next step is Multi-Factor Authentication (MFA) and password managers to combat easily hacked passwords.

Although the days of changing your password every 90 days are gone (Yay!), corporations are relying heavily on password managers for access security. But even LastPass, a password management service, has been breached twice within six months. (Boo!) So how secure are your most valuable digital assets if you use a password manager or any other password management tool? 

Security & risk management leaders must acknowledge that passwords are no longer a security asset. 

What's better than Passwords? 

Crime pays! Stolen credentials were responsible for 63% of hacking activities in 2022. Employees need to avoid oversharing sensitive information. The human element remains the weakest link in security interfaces, and passwordless authentication is an excellent way to reduce this vulnerability. But only if users are willing to take those extra security steps.

Passwordless authentication methods like FIDO2 keys or using biometric data (voice, retina, fingerprint), certificate-based authentication, location confirmation, and tokens/pins sent to mobile devices are some tools used to authenticate user identities for both mobile and desktop applications. But security comes at a price, and there needs to be more clarity about what constitutes a passwordless solution.

  Quote_PASSv2  

Biometric authentication is expensive, and employees may hesitate to comply due to privacy concerns. One-time passwords (OTP) or two-factor authentications involve codes sent to mobile devices or emails. Both methods are time sensitive and cumbersome if many workload applications ask for an OTP for each login. Single sign-on technology is easy for users but risky because if those credentials are compromised, the hacker could access all the user's connected applications.

Identity and Access Management (IAM)

You know you need to go passwordless, but your authentication method depends entirely on your user base, the sensitivity of data and workloads, and the adoption rate of the tool(s) you plan to use.

Security & risk management leaders must not isolate Identity and Access Management (IAM) from their overarching security strategy. IAM is about controlling access to your network, core business processes, and data by knowing who is in your environment, how long they have been there, what they are doing, and if they are authorized to be there. Most organizations already have tools that could do some of these things but haven't maximized their use in IAM – or their security value.

Before leaping to passwordless authentication, security management leaders must create a strategy to define the source of truth for users' digital identities, find solutions that will not impede productivity, and align with stakeholders on implementing new authentication protocols across the organization. IAM leaders can use behavior analytics to remove passwords from the authentication process flow. Pinging in from the same location, same device, and same VPN every day is low-risk behavior. Add proof of identity steps when behavior or access location changes.

How to best enforce digital identities? Using the National Institute of Standards and Technology (NIST)'s Special Publication 800-63B Digital Identity Guidelines as a baseline for best authentication lifecycle management practices for authentication is a good start.

Take a look at the list below from NIST's Table 8-2, which offers organizations recommendations on how to mitigate against each of these common authenticator threats:

mfa strategy

Cybersecurity Awareness Training

How do you get employees to buy into change? Through education and understanding. Only try to mandate passwordless authentication after warming up your audience with information, the reasons the changes will benefit them individually, and the importance of cybersecurity to the organization. Be aware that many people are uncomfortable using their personal cell phones to accept authentication keys. Don't discount those sensitivities--but feel free to use incentives to build adoption!

When you communicate the criticality of cybersecurity with transparency, you foster a culture of trust and shared responsibility across the organization. Invite employees at all levels to complete ongoing Security Education Training and Awareness (SETA) to keep everyone aware of the latest cybersecurity threats. Invest time in rolling out your passwordless authentication program and tie it to the need for perpetual cyber vigilance and personal accountability to secure digital assets.

In addition to education, periodically engage users with simulated phishing emails and track progress to share with the organization. Encourage your employees to accept ownership of their digital identity and learn how to protect it. In addition, IAM leaders should maintain rigorous offboarding standards to prevent sabotage, monitor user behavior on the network, and incorporate access management tools that limit access based on user role.

Invest in Whole-Business Security Controls

Securing your IT infrastructure takes more than a stack of tools. Security must be a whole-business endeavor. TBC, an IT Solutions Provider headquartered in Scottsdale, Arizona, is focused on helping organizations build a culture of security that permeates throughout organizations. TBC works closely with executive leadership, and IT teams to increase the efficiency and adoption of security tools and processes.

When you decide to prioritize your organizational security, TBC can help build security controls into your whole business, educate your workforce, and implement a passwordless authentication methodology that is secure, frictionless, and willingly adopted by your users. Our security teams will help you minimize your time-to-value by realigning your security strategy, tools, and processes to deepen your IT security and reduce risk across your organization.

  LinkedIn-1 Facebook-1 Twitter-1

 

strategy contact us

 

Related Articles

September 07, 2023
Process Over Particulars: Why SEC 106 is All About Your Cybersecurity Strategy

Whose side is the U.S. Securities and Exchange Commission (SEC) on anyway?

The SEC is squarely on the side of the investors – and Rule 106 was adopted to protect those parties from cybersecurity ‘surprises’ that could impact the stability and financial viability of the publicly traded companies which they invest. With Rule 106 and the new Form 8-K 1.05, the SEC wants to eliminate the excuses[...]

By TBC
August 24, 2023
Ready or Not, the New SEC Cybersecurity Rules are Here!

Allegedly, the wrath of the U.S. Securities and Exchange Commission (SEC) was triggered by the large number of organizations that hid ransomware attacks and data breaches from the SEC, paid ransoms without federal notification, buried cyber risk from investors, and let vulnerabilities remain long after discovery. Allegedly.

The SEC’s new Cybersecurity and Risk Management rules become effective on[...]

By TBC

    Recent Posts

    Categories

    Archives

    tbc-reversed-white-bug SOC2_2023

    Solutions

    Insights

    About

    Contact

    Phone: (602) 396-5318

    HQ

    8328 E Hartford Drive

    Scottsdale, AZ 85255

     

    Get in touch today

     TBC |  Privacy Policy  |