Cumbersome and ineffective password requirements beg the question: Is there a better way? The answer is certainly yes.
The federal government already relies on personal identity verification (PIV) cards as the first identity check at the door, literally. These cards are used to access federally controlled facilities and log on to agency information systems. With modern endpoints and mobile devices, relying entirely on a PIV card reader is not practical. Using another authentication factor, like biometrics using facial recognition or fingerprints, provides a more secure and user-friendly method to authenticate identity.
But even with appealing alternatives, passwords continue to be used to access applications, creating frustration for employees and an easy threat vector for adversaries.
“We have the solution to kill the password, and go to zero sign-on,” said Bill Harrod, Public Sector Vice President for Ivanti.
Agencies need to hear the clarion call. Cybersecurity is better when employees are on board with the plan. Step one is a smoother log-on.
Kill the password
No one loves passwords. For years, passwords have been the most easily compromised security control, even with more stringent and complex composition requirements, Harrod said. Additionally, a recent Ivanti survey found that a quarter of employees use the same password for their work email and commercial accounts.
That’s a major problem. Using work emails for online apps gives additional information to hackers trying to gain access. And with derived intelligence from social media and other online sources, credential compromises and increased phishing attacks are all the more likely.
Correcting this behavior should be a priority, but agencies should also focus on changing the method of authentication, especially for cloud-based apps and government-protected resources. Shifting away from passwords can be a significant benefit to agencies’ security posture while improving employee privacy protection, as well.
More edge security where users are
Biometrics are one way to leave passwords behind, and they’re well-suited to telework. Many mobile devices – from phones to laptops – already have biometric features, such as facial and fingerprint recognition. Those generate an authentication token sent to the network that verifies identity and permits access. Digital credentials derived from PIV cards and accessed only via biometrics serve as a strong, password-free multifactor authentication.
Agencies can also implement per-application VPNs. These VPNs send traffic straight to the cloud for each application. The route cuts out circuitous traffic, meaning faster connection times and streamlined service for users. It also boosts security, with more frequent access authentications.
Partners like Ivanti can help here, applying application-level security and PIV-derived credentials, and validating identity and connections seamlessly on external endpoints.
“There really is a better together story,” Harrod said.
This article is an excerpt from GovLoop’s recent guide, “Your Cybersecurity Handbook: Tips and Tricks to Stay Safe.” Download the full guide here.