• United States



Before we abandon passwords, these 3 critical elements of authentication need to be fixed

Feb 27, 20144 mins
IT Leadership

Often overlooked in the popular rage against passwords are the three critical components of authentication. People only make up one. With or without passwords, all three need to be addressed.

The rising tide of breaches — including those focused on stealing credentials — is used as anecdotal evidence that the time for the password is over.

Somehow, it always boils down to the tripe that people are the problem. But blaming people conveniently overlooks the reality that an attacker capturing an entire password database is a problem with the organization.

What’s the problem we’re trying to solve? Better, what’s the problem we need to solve?

Passwords are a factor of authentication. The problem is less with the factor than the overall system of authentication. 

While people are part of the process, two additional elements are routinely overlooked. Focusing attention on improving all three elements yields better and more secure authentication – password or otherwise.

The 3 elements of a successful authentication system

Recent password breaches showcase a stunning failure of organizations to properly implement and operate authentication systems.  

Attackers seeking access to systems and information focus on gaining credentials – regardless of the factors used (passwords, biometrics, etc). They exploit any opportunity in the chain to get what they want.

Improve the entire system to reduce their chances, including the three critical elements of: 

  • implementation
  • operation and maintenance
  • individual usage

All three of these represent needed areas for discussion in the industry and improvement in the organization.

1. Is the implementation secure?

Authentication systems must be implemented to withstand improvements in attacks. Often times, the path of least resistance — and the largest gain — comes from stealing the _entire_ database of credentials.

This requires thinking through the role and process of authentication. Bring the right team together, including external expertise, to consider and make documented choices about algorithms, methods, and configurations matched to the specific factor(s) and the importance of the systems and information they protect.

How does the authentication system withstand attacks on individuals as well as the implementation? The answer needs to explain how to reduce friction for intended users while increasing effort for attackers.

2. Are credentials properly protected during operation?

Once implemented, how is the authentication system used and protected? In operation, how are individuals enrolled, credentials verified, and authentication factors protected?

How are resets and challenges handled? Does the current method of operation make it easier or harder for an attacker to gain access?

3. How are people using the system?

Authentication is important because it is at the intersection of people, systems, and information. People need to be able to successfully use the authentication method in order to gain access. Ideally, attackers face a harder challenge.

When it comes to passwords, we need to do a better job. I wrote about the real failure of passwords here.

Even with passwords, it’s possible to explain the fundamentals in a functional way to any audience. This allows people, often for the first time, to actually understand how a password works.  From that foundation, individuals learn and develop the capability to build, manage, and use better passwords.

The key to making it easier for people starts with designing and implementing a system matched to _their_ needs. Translate complexity into understanding to make necessary information accessible. The process takes time and often requires a skill set not generally found in security. 

People need to learn how to use the system properly. Ending password reuse and improving overall password strength goes a long way toward making the job of an attacker harder.

Whether passwords stay or go, improve the 3 elements now

Any authentication system — regardless of how many and which factors are used — needs to be implemented properly, protected accordingly, and used successfully by people.

Neglect any of those three and the system won’t work. Blaming people doesn’t fix it. When the next breach happens, consider the role the company had in implementing and protecting the credentials and authentication before suggesting the problem is people.

While these three elements are independent of the factors selected, getting them right improves password authentication, too. 

Which begs a simple question: if password authentication were implemented and maintained better, how big a problem is it really?


Michael Santarcangelo develops exceptional leaders and powerful communicators with the security mindset for success. The founder of Security Catalyst, he draws on nearly two decades of experience of success advancing security in variety of operational roles. He guides leaders and teams on the best next step of their journey.

More from this author