Often overlooked in the popular rage against passwords are the three critical components of authentication. People only make up one. With or without passwords, all three need to be addressed. The rising tide of breaches — including those focused on stealing credentials — is used as anecdotal evidence that the time for the password is over. Somehow, it always boils down to the tripe that people are the problem. But blaming people conveniently overlooks the reality that an attacker capturing an entire password database is a problem with the organization. What’s the problem we’re trying to solve? Better, what’s the problem we need to solve? Passwords are a factor of authentication. The problem is less with the factor than the overall system of authentication. While people are part of the process, two additional elements are routinely overlooked. Focusing attention on improving all three elements yields better and more secure authentication – password or otherwise. The 3 elements of a successful authentication system Recent password breaches showcase a stunning failure of organizations to properly implement and operate authentication systems. Attackers seeking access to systems and information focus on gaining credentials – regardless of the factors used (passwords, biometrics, etc). They exploit any opportunity in the chain to get what they want. Improve the entire system to reduce their chances, including the three critical elements of: implementation operation and maintenance individual usage All three of these represent needed areas for discussion in the industry and improvement in the organization. 1. Is the implementation secure? Authentication systems must be implemented to withstand improvements in attacks. Often times, the path of least resistance — and the largest gain — comes from stealing the _entire_ database of credentials. This requires thinking through the role and process of authentication. Bring the right team together, including external expertise, to consider and make documented choices about algorithms, methods, and configurations matched to the specific factor(s) and the importance of the systems and information they protect. How does the authentication system withstand attacks on individuals as well as the implementation? The answer needs to explain how to reduce friction for intended users while increasing effort for attackers. 2. Are credentials properly protected during operation? Once implemented, how is the authentication system used and protected? In operation, how are individuals enrolled, credentials verified, and authentication factors protected? How are resets and challenges handled? Does the current method of operation make it easier or harder for an attacker to gain access? 3. How are people using the system? Authentication is important because it is at the intersection of people, systems, and information. People need to be able to successfully use the authentication method in order to gain access. Ideally, attackers face a harder challenge. When it comes to passwords, we need to do a better job. I wrote about the real failure of passwords here. Even with passwords, it’s possible to explain the fundamentals in a functional way to any audience. This allows people, often for the first time, to actually understand how a password works. From that foundation, individuals learn and develop the capability to build, manage, and use better passwords. The key to making it easier for people starts with designing and implementing a system matched to _their_ needs. Translate complexity into understanding to make necessary information accessible. The process takes time and often requires a skill set not generally found in security. People need to learn how to use the system properly. Ending password reuse and improving overall password strength goes a long way toward making the job of an attacker harder. Whether passwords stay or go, improve the 3 elements now Any authentication system — regardless of how many and which factors are used — needs to be implemented properly, protected accordingly, and used successfully by people. Neglect any of those three and the system won’t work. Blaming people doesn’t fix it. When the next breach happens, consider the role the company had in implementing and protecting the credentials and authentication before suggesting the problem is people. While these three elements are independent of the factors selected, getting them right improves password authentication, too. Which begs a simple question: if password authentication were implemented and maintained better, how big a problem is it really? Related content opinion Want to be a better security leader? Embrace your red team CyberArk CEO Udi Mokady lines up for a Security Slap Shot on the need for security leaders to be productively paranoid. By Michael Santarcangelo Sep 29, 2017 4 mins Risk Management Vulnerabilities IT Leadership opinion To combat phishing, you must change your approach Kevin O’Brien, CEO of GreatHorn, discusses why employee training isn't effective in combatting phishing and what companies should do instead. By Michael Santarcangelo Sep 27, 2017 7 mins Phishing IT Leadership opinion Are you ready for ‘Moneyball’ security? Mike McKee, CEO of ObserveIT, lines up for a Security Slap Shot on the benefits of an evidence-based approach to security. By Michael Santarcangelo Sep 20, 2017 4 mins IT Leadership opinion Your security scars are the key to innovation Ben Johnson, CTO and co-founder of Obsidian Security, lines up for a Security Slap Shot on driving innovation in security and business based on experience. By Michael Santarcangelo Sep 14, 2017 4 mins IT Strategy Careers IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe