Intelligent CISO Issue 35 | Page 28

Passwords are destined to remain key when creating secure infrastructures , but will represent just one component of a more sophisticated authentication process .
editor ’ s question

?

tart a conversation

S about IT security and it won ’ t be long before the subject of passwords is raised . A cornerstone of security infrastructures for years , passwords when used as the sole authentication method , have become a real security challenge for businesses . This is mainly due to the inherently insecure nature of passwords . Lax practices such as writing them down and never changing them can make them a relatively easy gateway into centralised IT resources . As a result , some envision a passwordless future where other security measures will take their place . If replaced by just biometrics or a hardware token then it is still only offering a single factor of authentication . While probably better than a password , these still fall well short of strong authentication .

To secure business assets , strong authentication should feature multiple factors of authentication :
1 . Something you know ( a password or a PIN )
2 . Something you have ( a security token or smartphone ) 3 . Something you are ( a biometric ) 4 . Somewhere you are ( geolocation )
A layered approach
Passwords are destined to remain key when creating secure infrastructures , but will represent just one component of a more sophisticated authentication process . For this reason , ensuring passwords remain secure is important . Some of the steps that can be taken to ensure this include :
• Use long passwords of more than 16 characters to improve their security against brute-force attacks
• Consider using non-English words to help guard against so-called ‘ dictionary attacks ’
• Adopt a password manager to avoid having to remember large numbers of individual passwords for different applications
The importance of Multi- Factor Authentication
An effective layered approach to security uses Multi-Factor Authentication ( MFA ). Passwords are one element of MFA which also requires other factors such as a generated PIN or fingerprints and facial scans .
It ’ s important to note , however , that not all MFA platforms are created equally , and some are more secure than others . For example , the most common approach – where a user receives a text message containing a generated code that must be entered to gain access to a system – has a weakness because it is possible for a hacker to intercept the message and gain access .
A much better approach is to adopt a push notification-based solution . This approach makes use of an encrypted
MARK SINCLAIR , REGIONAL DIRECTOR AUSTRALIA , NEW ZEALAND AND PACIFIC ISLANDS , WATCHGUARD TECHNOLOGIES

Passwords are destined to remain key when creating secure infrastructures , but will represent just one component of a more sophisticated authentication process .

channel to send authentication request verifications to a user ’ s smartphone . Because of the way in which this notification is sent , it is significantly more secure than a text message-based equivalent . It is also just as convenient .
To make things even more secure , organisations can require users to use a third type of authentication when requesting access . For example , users may need to enter a password , a secure push notification and offer a biometric factor such as fingerprint . All three must be provided before any access is granted .
While there may initially be pushback from users when required to take these extra steps , the additional security they provide is well worth the effort . Take the time to explain to your IT users why the new requirements are being put in place and the benefits that they deliver .
Maintaining passwords as part of an MFAbased authentication system makes sense and is likely to remain the best approach for organisations for some time to come . If you are still relying on passwords alone , now is the time for change .
28 www . intelligentciso . com