+
EDITOR’S QUESTION
RICHARD MEEUS, SECURITY
TECHNOLOGY AND STRATEGY
DIRECTOR, EMEA AT AKAMAI
/////////////////
F
undamentally, passwords suck. They
have been a thorn in the side of IT
professionals for decades, from when
40% of a helpdesk’s time was spent helping
users change their passwords, to poor advice
in asking users to update their password
every 90 days, and make it really complex –
every single time.
The fact that passwords are so ubiquitous
and seen as the default mechanism for user
authentication means they are often used
without considering the wider picture. This
is evident in our public health service, where
a myriad of systems with different accounts
creates significant delays when staff need
to login. Single Sign On (SSO), a technology
that’s been around for many years, is
being used to try and address this delay.
But, if it still revolves around a username
and password, then staff are still tasked
with remembering a complex password.
The NHS is looking to adopt Multi-Factor
Authentication (MFA) – a process that’s
more secure as it only grants a user access
once they present two or more pieces of
evidence. Users can prove their identity by
passing a combination of verification stages,
providing something they know, something
they have, or something they are. As a result,
we’re now able to take this to the stage
where a password is no longer necessary
– users could sign-on with something they
‘have’, such as a hardware token, and
something they ‘are’, using their fingerprint.
We have adopted this internally here at
Akamai and we use a combination of push
authentication to mobile devices, along with
certificates on company laptops to provide a
password-less experience.
Moving away from passwords, or at least
complementing them with another factor
of authentication, is important considering
the volume of data breaches we witness on
a daily basis. As users, we’re fundamentally
www.intelligentcio.com
“
WE USE A
COMBINATION
OF PUSH
AUTHENTICATION
TO MOBILE
DEVICES,
ALONG WITH
CERTIFICATES
ON COMPANY
LAPTOPS TO
PROVIDE A
PASSWORD-LESS
EXPERIENCE.
lazy and will often reuse passwords across
many sites. Witness the recent ‘attacks’
on two high street retailers, where stolen
usernames and passwords from previous
beaches were used to perform an Account
Takeover (ATO), where the criminals
seek to monetise whatever is within the
account – normally in the form of cashing
out on vouchers or gift cards. The fact
they were both high street retailers with
significant online business adds interest
from an attacker’s perspective. Normally a
‘credential stuffer’, somebody who takes
these breached usernames and passwords
and tries to find ones that work on a new
site, can expect a 1–2% hit rate. If these
cybercriminals target the same verticals,
the hit rate can be significantly higher.
If one were to do a Venn diagram of the
users at both stores, there would be a high
probability of significant overlap – ensuring
the attackers get more bang for their buck.
For businesses, reducing passwords,
implementing SSO and adding MFA is
an important step. However, if that can’t
be done, due to lower IT management
budgets or the operational nature of the
business, then password managers are
essential to ensure good, random, unique
passwords are utilised.
INTELLIGENTCIO
35