Every year, organizations work harder and harder to strengthen password protections—yet passwords remain an increasingly attractive vector for cyber attacks. Credentials-based attacks accounted for 81% of data breaches last year, up from 63% the previous year, according to the latest Verizon Data Breach Investigations Report.
Part of the problem is password policies have traditionally focused on increasing security at the expense of the user experience. It’s not enough to adopt policies that impose stringent password requirements, or insist on a strict password-aging policy, or forbid password reuse, or all of the above; such measures seem to create an environment that’s less, not more, secure. After all, when users have passwords that are hard to remember, or that they have to change often, who can blame them for using the same password for everything? That puts organizations at greater risk—because if someone steals that password, they have access to everything.
A recent Gartner report suggests the answer isn’t to stop using passwords; it’s to go beyond them, focusing less on crafting the perfect password policy and more on adopting robust authentication and other controls. In Don’t Waste Time and Energy Tinkering with Password Policies, Gartner analyst Ant Allan suggests an approach that includes risk-based authentication to balance security concerns against the user experience.
What Matters More, Security or Convenience?
Secure access today has to strike a balance between the security that IT teams value and the convenience that business users prize.
Err on the side of security by demanding long, complex passwords, and users will end up writing them all down, or just using the same one across all applications. Err on the side of convenience, with too-lax password policies, and you make credentials-based attacks too easy. Either way, it’s like dead bolting the front door—and then just leaving the key under the mat.
Risk-Based Authentication: Increase Security and Reduce User Burden
Multi-factor authentication adds another dimension of security beyond passwords, but the last thing organizations need to do is constantly require users to reauthenticate in the effort to prove they’re who they say they are.
Risk-based authentication is a better alternative. It introduces analytics-driven decision-making that adapts to the user’s circumstances, requiring additional authentication only when unusual login behavior or other suspicious circumstances warrant it.
But Wait, There’s More: Threat Detection and Other Controls
Technical controls have an important role to play in reducing risks that passwords alone can’t address. Endpoint protection systems, for example, can detect malware at the device-level access point. Or an evolved SIEM solution can provide visibility into potential threats.
If such controls are integrated with authentication capabilities, they can automatically step-up authentication or block access when necessary. For example, if there’s a known threat on the device from which a user is trying to log in, these capabilities would be useful.
Get practical advice about moving beyond passwords from Gartner in the report, Don’t Waste Time and Energy Tinkering with Password Policies, featuring detailed recommendations and information about new authentication methods and other compensating controls.