Passwords Aren’t Enough: 3 Ways to Bolster User Authentication

Many organizations are decreasing their reliance on user names and passwords for user authentication. They are also learning more about the benefits of deploying strong user authentication to increase the level of assurance for online identities as part of an overall approach to securing access to information and managing risk.

Companies should select and deploy strong user authentication solutions based on their assessment of the optimal balance between security, total cost of ownership (TCO) and alignment with the end-user populations and applications being supported.

The Problems With Passwords

Aberdeen’s research indicates that virtually all organizations surveyed (98 percent) indicate continued reliance on user names and passwords for authenticating end users to control access to systems, networks, data and applications. Nearly half (48 percent) of all respondents, however, have also deployed at least one stronger, non-password method of user authentication.

A majority of all respondents have taken steps to strengthen the security of passwords, for example, through:

• Requirements for length (71 percent), complexity (62 percent) and frequency of change (36 percent);
• Restrictions on reuse (58 percent), and;
• Exclusion of standard dictionary terms (55 percent).

All of these steps enhance the security of passwords but also make passwords more cumbersome for end users. Passwords that are more difficult to guess are also more difficult to remember. Natural coping mechanisms include writing them down (which weakens security) and relying on calls to the help desk (which increases cost).

Shockingly, nearly two-thirds of all respondents (64 percent) currently do not even require passwords to be changed. Clearly, none of the resulting risks, costs and inconveniences were the formal intent of management in establishing current user authentication policies based on passwords.

The sheer number of passwords amplifies the problem. In a typical day, an average enterprise knowledge worker may be required to use a half-dozen passwords or more in the normal course of Windows log-on, data encryption, remote access (e.g., virtual private network or secure sockets layer VPN), WiFi access, e-mail, Web-based applications or portals, and back-office applications (e.g., human resources or enterprise resource planning). Smaller subsets of users may use passwords to access privileged accounts (i.e., administrative functions) or to execute high-value transactions. Current research indicates that about nine out of 10 (88 percent) enterprise users have multiple work-related passwords.

The top pressures driving organizations to focus resources on evaluating and implementing stronger, non-password forms of user authentication are those Aberdeen has seen in virtually all security benchmark studies over the past year: Risks, regulations, internal policies, and industry best practices and standards continue to be the leading market drivers, along with “protecting the organization and its brand.”

“Reduce cost” is a more recently emerging theme seen in Aberdeen’s security research, but worthy of special note as a driver for investments in assuring identities given the common (mis)perception that passwords are “free.” Our November 2007 report on Security Governance and Risk Management first showed that top-performing organizations have begun to develop security governance, risk management and compliance (GRC) processes to more effectively allocate their finite IT resources and activities based on their business objectives and on acceptable levels of risk.

Effective Strategies

Strategies based on establishing and enforcing consistent policies for user authentication correlate most highly with current investments in strong user authentication. Our research shows that the top performers were 24 percent more likely to identify an explicit strategy to reduce the total cost of managing user authentication credentials as a driver for current investment.

With respect to selecting and implementing specific strong user authentication methods, the data reveals three distinct strategic approaches:

ol.thisol { font-weight:bold }ol.thisol span {font-weight:normal }

1. The right tool for the job. The first approach is to implement user authentication methods that are deemed most appropriate for each application and end-user population. An organization might use hardware tokens for administrative access to privileged accounts, digital certificates for employee remote access over VPN, and heuristic, risk-based scoring for online access by external customers. Management of these systems would traditionally be done independently.
2. One for all. A second approach is to strive towards a common user authentication method for all applications and end-user populations. An example of this is a U.S. federal government agency that issues smart cards in compliance with HSPD-12, as described in the December 2007 Logical/Physical Security Convergence: Is It in the Cards? benchmark report.
3. Common platform. A third approach is to move towards a common user authentication infrastructure that can manage multiple user authentication methods. The same example can be used of a company that deploys hardware tokens, digital certificates, and heuristic, risk-based scoring for different populations and purposes. The difference in this case is that the company could implement a common back end to create and enforce policies, and to manage authentication credentials more consistently over their life cycle.

We have seen, as a consistent theme across multiple studies, a strong correlation between top performance and a deliberate shift away from tactical, siloed deployments toward a more centralized infrastructure for sustainable, “continuous” security GRC. While these capabilities are still nascent, even among the top-performing companies, we clearly see them in the context of providing higher assurance for user identities through the deployment of strong user authentication.

The common platform strategy is well-aligned with the motivation to reduce the cost of managing existing strong authentication deployments. Most of the top-performing organizations have currently deployed at least one strong user authentication method in addition to user name/password, and almost half have deployed two or more strong authentication methods, replacing existing solutions with interoperable, more cost-effective alternatives.

The research demonstrates that passwords continue to be a problem, and that a rich diversity of strong authentication alternatives will continue to be available in the market. Organizations that deploy at least one strong authentication method should make an informed choice based on their own unique balance of preferences and solution attributes. They should give deliberate thought to the strategic choice they are making, between a variety of methods each with their own back-end; versus a single method for all users; versus a variety of methods with a common back-end. Solutions providers will likely evolve into “authentication specialists” who innovate around specific methods, and “authentication platforms” which can enable common support and life cycle management for multiple methods.

Choosing From a Myriad of Solutions

We have seen that the market presents organizations with a bountiful bouquet of alternatives for strong user authentication, each with its own unique balance of attributes. The four high-level categories of TCO, fit for end users, fit for the organization, and strategic fit provide a useful framework for comparing and contrasting one strong authentication method to another.

Tradeoffs will continue to be the name of the game for their ultimate selection. The good news for buyers is that the trend is towards continued variety, flexibility and choice. The “right” strong user authentication will be chosen by finding the unique balance of solution attributes and organizational attributes that make up the selection criteria for your use case and your organization.

Independent of which user authentication methods are deployed, top-performing organizations have excelled relative to their counterparts at managing user authentication credentials throughout their natural life cycle. In some cases, this will favor a more ecumenical, platform-oriented approach. Among the four high-level categories of provisioning, user support, deprovisioning and operations/management, research shows that the best performance overall is currently in the front-end aspects of provisioning. The biggest opportunities for improvement are in the areas of end-user self-service and extracting intelligence from the authentication solution. Organizations should look both to expand the deployment of strong user authentication and to improve credential life cycle management for their specific environments.

The foundations on which the results achieved by top performers are built include consistent policies for user authentication and authorization, along with clear accountability and ownership for both policy and credential life cycle management. Providing higher assurance for identities through strong user authentication is an important element of protecting information and managing risk. Those that do so are better able to realize the business benefits of better security, sustained compliance, reduced human error, reduced help desk calls and lower total cost of management.

For a more detailed analysis of this research study, please click here.

Tom Karol is a research associate in the Aberdeen Group’s technology markets area. He can be reached at [email protected].