A Step towards Enterprise Level Password Elimination

By CIOReview | Monday, August 8, 2016
571
991
204

Experts say that the key practice for password protection is making it long and complex. But here comes the question, will the employees and users be able to remember such complex passwords—‘4gaETMUpqO74’ ‘R4665qAtWnYN’? Forrester survey reports show that 20 percent of calls made on the help desk are from users having password issue and for which USD 31 is spent for resolving it. As cracking a password is a piece of cake for a breacher, enterprises are investing substantially on authentication systems where security of user accounts is crucial. Some of the organizations leverage Identity Access Management (IAM) platform whereas, others utilize authentication tokens depending upon the portability, security and utility of user accounts.

While traditionally the IAM principle has focused on employee use cases, this identity management is an approach to identification, authentication and authorization of the consumers offering products and services. IAM eliminates the use of password as it supports ‘Adaptive Authentication’ where users can authenticate their identification onto IAM and when needed can access and use the services. The authentication password-prompt is sent through mobile devices, and is defined using XML-based standards—SAML (Security Assertion Markup Language) and WS-Federation. IAM scales high, regardless of the distance or place where the user resides. This makes the identification system consumer-centric and threat-centric. Enterprises can also use SAML to authenticate employees to Google Apps and Office 365.

The other authentication method widely used by enterprises is the ‘token’. OATH (Open Authentication), a form of Two-factor Authentication (2FA) system is scaling high among users in an enterprise. Leveraging 2FA system, OATH characterizes how hardware authentication token works with the right back-end software. To deploy OATH, enterprise needs OATH compliant tokens—key fobs, credit cards and computers or laptops which runs a software token. Software and hardware tokens cost very less and use a Personal Identification Number and a six digit numeric password on the token. So, what happens if the token is lost? If someone steals it, there is no need to worry, as the account is secured till your PIN is not disclosed. Also, user can disable the old token and issue a new token from the IT administrator. Even if the intruder gets to know the PIN and the Token password the authentication would require hardware token for accessing the account.

For enterprises leveraging cloud technology, security of cloud data is a fundamental objective. To eliminate passwords from most of the SaaS (Software-as-a-Service) applications, enterprises need to employ an SSO (Single Sign-On) mechanism which securely saves the user’s credential and replays when the prompt for logging-in application comes up. By leveraging SSO a user logs in with a single ID and password, gaining seamless access to each system. This system brings in automation and users need not require remembering password or login-ID each and every time while accessing the system. In case the user’s credential is not recognized automatically then the user will be requested to login the account manually. This method helps to mitigate risk for access to third-party sites, and also reduces the time for re-entering the password for the same identity.

These developments in securing user’s identity will surely bring a future that is password free. And no longer will a user see the option ‘Forgot Password?’ or there will be very less number of password related calls on the help desk. The need of enterprise is to make control access as frictionless as possible for authorized people to use corporate resource data and get the most utility out of them—without resorting to passwords. This will contribute in individual’s success as well as that of the enterprise.