“Our reliance on passwords presents a tempting target for malicious actors. [..] Consequently, we are making it too easy for those who seek to do harm, whether they be nation-states, well-organized criminal groups, or online thieves.”
This chilling quote comes from the newly published Commission on Enhancing National Security, a detailed blueprint for securing and growing the digital economy of the United States (https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf). Produced by the National Institute of Standards and Technology (NIST), the 100-page report draws on advice from security experts across the US and is the result of 10 months’ research.
While the full report covers a broad range of information security issues, one of the key areas is how to encourage individuals and companies to carry out basic security measures – especially by preventing unauthorized access to their systems and data.
“Many organizations and individuals still fail to do the basics. Malicious actors continue to benefit from organizations’ and individuals’ reluctance to prioritize basic cybersecurity activities and their indifference to cybersecurity practices. These failures to mitigate risk can and do allow malicious actors of any skill level to exploit some systems at will,” the report says.
More specifically, it focuses on the dangers of relying, as so many systems still do, on the simple username-and-password model for authenticating users. “Strong identity management is key to much of what we do in the digital economy,” it says. “In 2004, an industry leader [Bill Gates] predicted the demise of the traditional password because it cannot ‘meet the challenge’ of keeping critical information secure.”
Gates was right, but his prediction was somewhat premature. As the report points out: “A review of the major breaches over the past six years reveals that compromised identity characteristics have consistently been the main point of entry [for hackers].”
In other words, stolen passwords tend to offer the most common route into systems targeted by hackers.
Having established the challenges, the report makes a series of 16 major recommendation covering all aspects of digital security – one of these covers the need for strong authentication.
It says: “The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.”
It adds (action 1.3.1: The next Administration should require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication.”
And (action 1.3.2): “The next Administration should direct that all federal agencies require the use of strong authentication by their employees, contractors, and others using federal systems.”
The NIST report provides a timely reminder of the dangers of relying solely on passwords for user authentication. Strong authentication – two-factor or multi-factor authentication – immediately shuts off the hackers’ favorite route into someone else’s systems.
If the system insists on a second factor for authentication – for example, sending a one-time passcode to the legitimate user’s mobile phone – then a stolen password ceases to be of any use by itself. The hacker is stopped in his, or her, tracks,
As SecurEnvoy has demonstrated with companies around the world, multi-factor authentication is no longer expensive or hard to implement. On the contrary, SecurEnvoy can provide an organisation with a solution within a couple of hours in some cases, with no special tokens required, and with virtually no administrative overhead.