Passwordless authentication that seamlessly combines security and user experience is crucial for better user protection in an enterprise. Still, most enterprises stick to password-based authentication, which is not that secure but quite risky. Some of the organizations tend to implement more secure systems.
There are various methods of sufficiently reliable authentication, for example, password managers, single sign-on technology, multi-factor authentication. Each of them has its methodology and a unique set of advantages. However, they also have their drawbacks.
Although passwords are the most common authentication method, they are considered the most unreliable. The risks of this method are huge and exceed the imaginary convenience. According to Verizon's 2021 Data Breach Investigation Report, 61% of breaches involve credentials. Despite this, passwords remain our default authentication method and often the only authentication method for enterprise systems and applications. The question is, why do we stick to an outdated authentication method that has disappointed users for a long time, and at the same time, it is beneficial to hackers?
Three main authentication categories make up for the shortcomings of password authentication: password managers, single sign-on (SSO), and multi-factor authentication (MFA).
Password managers generate, store and automatically fill in passwords for users who need to remember only one master password. This method solves the primary causes of human errors in authentication, including our tendency to short, weak, or template and recycled passwords. To this end, password managers can significantly improve password hygiene and simplify the login process.
Unfortunately, password managers are not efficient authentication tools for extended user bases such as enterprises. The password managers control the generation and use of employee passwords, but they lack enforcement. Password managers can't control how employees create and interact with each password; they only nudge them in the right direction if and when they choose one.
The misuse and enforcement of password managers also make it difficult for real visibility into the environment's application inventory; as a result, gaps in accounts not protected by a password manager lead to an unknown number of missed detections. By contrast, using corporate password managers for personal accounts requires security analysts to analyze false alarms.
MFA and Single Sign-On
Security Assertion Markup Language (SAML) is a modern single sign-on solution for access control. It is particularly beneficial for securing the growing use of enterprise applications.
The solution allows users to log in to multiple accounts with a single set of credentials. Unfortunately, it is difficult for many enterprises to estimate the full potential of SSO.
The identity providers often offer several IAM solutions for the prevalence of shadow accounts. It turns out they are significantly more expensive after accounting for the operational overhead of implementing single sign-on and licensing costs.
Like single sign-on, MFA solutions cannot provide full enterprise coverage in practice. Even if the staff does not spend time on security issues after the MFA implementation, approximately the same time they will spend on maintaining their relevance.
To emphasize the importance of time, let's consider businesses accepting an average of more than ten applications per month; while only onboarding four to single sign-on providers. It means that a significant backlog of almost ten applications remains without protection each month.
How to Reduce Risks
Nowadays, it is difficult to avoid using passwords, and it is risky to believe that any password protection tool is better than nothing. In addition to the risk they create, they often annoy users. The authentication space is still waiting for alternative methods that can replace existing ones. Such methods should be effective and safe. Preferably, they should be implemented with minimal manual effort.
The inventory of applications is the first important step towards more advanced IAM solutions and the return of control over the security of enterprise passwords. Each account connected to a corporate environment poses a significant risk and should be treated as such; an application with one user login can be just as risky as another with hundreds.
Risk classification in such circumstances can help understand how to best allocate time and resources for password protection. Data-based analysis can and should help predict the impact or likelihood of breach on these risk categories to make informed decisions.
Finally, the cybersecurity industry must collectively find new and better ways to hold the line until we get to a better password-free place. We are in an era when business applications are increasingly self-service to maximize agile adoption. If it is impossible to eliminate all password vulnerabilities in user accounts, organizations should instead learn to change the paradigm of access to business applications towards self-management.
The article was originally written by Idan Fast and can be found here. This article was rewritten and abridged to be published here.
If you find our posts engaging, you can subscribe here. If you have any questions or comments, you may write to firstname.lastname@example.org: we will be pleased to get feedback.