As now enter into the second half of April, and hopefully you have your taxes filed and getting a refund, the Cyber Threat landscape still remains about the same. I peruse the news headlines on a daily basis, and except for the usual data leaks and some Ransomware attacks, there is nothing earth shattering that has happened, at least not yet. Let’s hope that it stays that way.
But there seems to be an increase in some technojargon usage, and no its not the Remote Workforce or the Zero Trust Framework. Rather, it is MFA that is coming back again. For those of you who are not familiar with this acronym, it simply stands for “Multifactor Authentication”.
This is where you are required to go through at least three or more layers of differing kinds of authentication before you can gain access to what you are seeking.
But at the heart of this authentication process still remains the pesky password. Many organizations across Corporate America are trying to get rid of this all together, but the use of passwords has become so ingrained into our society for who knows how many decades that it will never truly disappear by 100%. It will still stick with us in some form or fashion.
Recently, I have had a few podcasts where my guests and I have actually talked about in this more detail. They too are trying to go “passwordless”, but going up against a lot of employee on this. It all comes down to the fact that it is simple human nature.
Once we get used to something, we don’t want to change unless we have to. And even, if we have supposedly adopted this new change, we still fight in yearning for the old ways again.
So, if you are CISO, or even an IT Security Manager and really want to get rid of that password all together, here are some tips for you:
1) Start with baby steps:
Never attempt to eradicate passwords 100% all at once. Always use some sort of phased in approach first, so that your employees will get time to get used to doing something new and different. For example, if you still rely upon Perimeter Security where the password is still the primary means of defense, add one in more layer of authentication. This could be a challenge/response kind of format, or even using something as an RSA token. This is known as 2FA, or “Two Factor Authentication”. For example, first start with your employees entering in their password first, then enter in the numeric code that is displayed on the token. Once your employees start to like this idea, then gradually move up to MFA.
2) Adjust your policies accordingly:
Even before you implement 2FA, conduct a thorough assessment of all of the digital assets at your company, and determine those that require 2FA or MFA access. If there are areas that are not as critical, perhaps you can still continue to be using just a password to give your employees some more time to adjust to a new process. But keep in mind, for those areas, always keep a close eye for any suspicious behavior because you are still using only one line of defense.
3) Try to bring everything together in one:
By this I mean don’t assign on an individual basis each and every employee’s rights, permissions, and privileges. Rather, migrate to a Cloud platform, such as that of Microsoft Azure. Here, you can make use of what is known as the “Azure Active Directory”. This is simply a super sophisticated way of creating groups and profiles for the various departments of your business. From here, you can then assign those rights, privileges, and permissions that are common to the people in that group, and it will be automatically assigned to them. Also through the Azure Active Directory, you can also create what are known as “Federated Identities”. This is where the same login credentials can be used in a more secure way in order to gain access to other shared resources on the network drive.
4) Adopt the concept of Least Privilege:
With this simply means is that you are giving your employees just enough permissions to access what they absolutely have to in order to do their daily job tasks. For example, your network administrator will have a much higher level of this than say, your administrative assistant. But you also need to keep a constant eye on this, as you do not want an employee to gain more privileges than what they need. The reason for this is simple: If their username/password are compromised, then the Cyberattacker will have far greater to access to your crown jewels. This can be avoided by conducting a routine audit at least on a quarterly basis.
5) Try to educate:
Normally, I would be pretty emphatic about this, but believe me, trying to train employees on good password Cyber Hygiene is very difficult. You can go on and on ad nauseum about the importance of creating long and complex passwords, the syntax of a good password, blah, blah, blah. But in the end, your employees are going to go back to their old ways, even trying to circumvent and new policies and rules you have put forth in this regard. Probably the only way that you are going to get your employees to change is to reward them for good behavior. It sounds like what a parent would do to a little kid, but in this instance, you may not have much choice in the end.
My Thoughts On This:
Believe it or not, there is a way to go 100% passwordless. That is through the use of Biometric technology, such as Fingerprint Recognition or Iris Recognition. Through one swipe of the finger, or one scan one the eye, respectively, your employees can login within seconds that the time it takes to enter in a password.
But this too will be a hard task to accomplish, because then your employees will be worried about violations to their Civil Liberties and Privacy.
Your best friend here is the Password Manager. With this, your employees can create all kinds of crazy passwords and have them reset automatically by this software package. Best of all, your employees will not have to remember their passwords anymore, which will greatly reduce the risk of the so called “Post It Syndrome”.
In fact, this may be the best route to go first, rather than trying to adopt and implement 2FA and/or MFA. But the irony here is that the Password Manager requires a password itself so that your employees can log into it.