Ten CISOs from across industries have predicted that the days are numbered for the password as the sole authentication method. They see enterprises moving to augment or supplant the traditional password with advanced technologies, such as biometrics.
Security Current, an information and collaboration company, talked with various CISOs to find that they agree that passwords are inherently flawed because they depend on users to create and remember complex sequences of letters, numbers and characters. However, they found that users tend to take the path of least resistance, selecting sequences that are easy to remember – and often easy to crack.
"Despite industry-wide efforts to reinforce this method of authentication and the number of methods available to encrypt and store passwords, the fact that remains is that creating good passwords – and safeguarding them – is as difficult as rocket science," said Nikk Gilbert, ConocoPhillips director of global information protection and assurance.
Aaron's, Inc. CISO Chris Bullock isn't as quick to dismiss the password, and suggests it is a necessary layer in a multi-faceted authentication schema.
"Just like the locks on our front doors can't stop a determined burglar or home invader 100% of the time, we continue to invest in door locks and alarms to protect our property," said Bullock. "When used correctly, passwords can still be an effective layer of defense, yet we should continue to innovate in the area of authentication."
Aetna CISO Jim Routh agrees that no single method of authentication by itself is sufficient, and although technologies like multi-factor authentication and smart cards have been available for years, they do not have the frictionless ease of use that is required for large-scale consumer adoption. And according to Valley Health CISO Frank Bradshaw, this is why the industry is moving towards a "who you are" not "what you have" approach.
They noted that next generation technology, such as biometrics, and adaptive cognitive and behavioral techniques, can reduce risk and provide a relatively seamless user experience. But there is general consensus that although the industry will continue to innovate and evolve no method will work 100% of the time.
"Biometrics or multi-leveled, behavioral-based techniques will improve the future of authentication," said Molson Coors CISO Christine Vanderpool. "But managing appropriate levels of access is also critical to data protection because at the end of the day, the bad actors will continue to find ways to steal the information you are protecting if they want it badly enough."