How to Beat the Bad Password Blues

Everyone knows that weak passwords are the scourge of strapping security. Unfortunately, strong passwords are not much better.

The problem is that strong passwords — say, those made up of 12 characters, including a mix of upper- and lower-case letters, numerals and special characters — are devilishly difficult to remember, so people come up with a way of making them simpler and, consequently, easier to crack. In any case, even the best passwords can be stolen.

That’s why many agencies are turning to multifactor authentication (MFA), which requires not just a password – if one at all – but also a hardware or software token, a biometric (e.g., fingerprint) scan or other authenticators.

To learn more about multifactor authentication, GovLoop spoke with Steve Schmalz, Field Chief Technology Officer (CTO) at RSA, a provider of MFA and other cybersecurity solutions. Schmalz highlighted three factors to consider when selecting an MFA solution.

Ease of Use

Ease of use is essential for MFA for a simple reason: If an authentication solution is too difficult, users will flood the help desk with trouble tickets or simply find a way to bypass the solution, Schmalz said.

Ease of use is equally important to administrators whose job it is to integrate the solution and keep it running. “If that’s too complicated, then either they’ll implement it incorrectly, or it just won’t get implemented at all,” he said.m

The net result? The organization will end up with passwords again.

Choice of Authenticators

When setting up an MFA system, an organization might be tempted to mandate a particular combination of authenticators, such as a password and smart card, for every use. The problem is that no authenticator is ideal for every use case.

For example, a smart card might work well for an end-user logging onto a laptop, but not so for a network administrator accessing a standard network router.

“If you have just one option, there are going to be situations where you can’t implement it, and then you’re back to password-based authentication as the only choice,” Schmalz said.

Risk-Based Governance

Typically, agencies see authentication — verifying a user’s identity — as a separate function from verifying what resources they are allowed to access. But that shouldn’t be the case, Schmalz said.

By unifying the two functions, an agency can take a risk-based process to protecting its resources. For example, the agency might want to require a higher level of authentication for a user accessing sensitive applications or data, or for users working from the road rather than the office.

RSA provides agencies with an MFA infrastructure flexible enough to develop strong authentication processes that work across a wide range of environments. As part of that, RSA has incorporated a cloud-based offering that works seamlessly across cloud-based, web-based and on-premises systems.

“By putting everything together, we’re able to provide a portal to access all of the applications that you might need,” Schmalz said.

This article is an excerpt from GovLoop’s recent guide, “Your Cybersecurity Handbook: Tips and Tricks to Stay Safe.” Download the full guide here.

Leave a Comment

Leave a comment

Leave a Reply