Killing Passwords Won’t Help Secure Networks

In the previous article, “How Hackers Unlock Your ‘Secure’ Front Door,” I explained that weak password policies and employee-managed passwords jeopardize cybersecurity. One of the first steps is to implement secure authentication, and that is made up of three parts (called “factors”):

• Something you HAVE (possession factor)
• Something you KNOW (knowledge factor)
• Something you ARE (inherence factor)
  

Together, the cybersecurity industry refers to these as “the three factors of authentication.” Each factor has its own unique strengths and weaknesses. No factor is better than the other.

When only one of the three factors is used, it is referred to as single-factor authentication (SFA or 1FA). Only requiring a password, token or fingerprint is 1FA and considered weak authentication. That’s because it’s easy for a hacker to steal and present only one identifier. Tokens, passwords and fingerprints can all be stolen.

The combination of any two or more factors is multifactor authentication (MFA). If it’s two factors, then it’s two-factor authentication (2FA), which is very strong. The odds of a hacker being able to acquire and present both factors at the same time is very difficult. Using all three is considered three-factor authentication (3FA), and it is extremely strong.

Make the Hacker Work Harder

If one or more of the factors change, it becomes even more challenging to acquire and present two or more factors in a timely manner. Remember, the only network that’s 100% secure is the one that is never turned on. Because that is not practical, the more hurdles you place, the harder the hacker has to work. If the effort is too difficult, then most hackers will abandon their efforts and look for easier prey. Strong authentication security makes infiltration harder.

Changing a factor therefore has to be easy, cost-effective and painless. While changing a token and credential is relatively easy, it’s often not economically viable. The repurchase, collection, redistribution and disposal of a secure credential requires a high price tag. Altering a person’s face, eye, voice or fingerprints is very painful, expensive and not easy. Passwords, on the other hand, are fast and free to change. Changeability makes passwords a strong security component of MFA.

Properly Implementing MFA

Here’s the part that many don’t understand about implementing multifactor authentication. By definition, MFA demands that two or more dissimilar factors are presented. True MFA means a password + card, or biometric + card, or password + biometrics, or password + card + biometrics. Don’t be fooled into believing that receiving a text message, email or a number generated from an authenticator application is MFA. It isn’t. Since a password and a text code are both knowledge factors, they are not dissimilar factors. Instead, you have “double single-factor authentication,” also called “Two-Step Verification.”

When you implement two-step verification you are not implementing multifactor authentication. Without MFA your cybersecurity is not compliant with government regulations and standards. Even the National Security Agency (NSA) has disavowed SMS text for authentication. MFA demands that two or more different factors are presented.

Killing a Factor

How often have you heard security pundits say, “We need to kill passwords!” or use the made-up marketing phrase, “We need to become a passwordless society.” These messengers don’t understand passwords vs. password management. Passwords can and never will disappear. Passwords are a key security factor, “the something you know.” Be careful of those who want to kill passwords. They often have another agenda other than improving security or convenience.

Passwords are also the only authentication factor that’s not publicly available. We leave our biometric factors everywhere. We touch something, our picture is captured or our voice is recorded. Cards and tokens can be stolen or replicated. However, today we cannot capture thoughts. Killing passwords does not add security but rather decreases it.

Finally, if passwords disappeared completely, then authentication would be left with only two factors. Having only two approved factors is something no security professional will support because it lowers security barriers. Passwords are the only factor of the three that can be easily, cheaply and frequently changed. That’s why as an authentication methodology, passwords are both effective and here to stay.

Something to think about: Some new identifiers are under discussion to increase the number of authentication factors. With the introduction of GPS-enabled smartphones, a new proposed factor is “where you are.” With all the surveillance cameras deployed, the capture of your posture or walking gate can be “something you do.” GPS does not verify that it’s you in possession of the smartphone, and your walking habits is another biometric feature. I consider both of these as additional verification factors, but not authentication factors. This is probably why the security industry has not recognized these identifiers as a factor.

Passwords play a key role in securing MFA. They offer unique advantages that no other factor can. While almost everyone loves to hate passwords, they are not the real problem. We don’t have a password problem — we have a password management problem.

Be sure to check out my next article about fixing the weakest link in cybersecurity.

Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyberattacks, free individual computer users from cumbersome security policies and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).