The rising tide of breaches -- including those focused on stealing credentials -- is used as anecdotal evidence that the time for the password is over.\tSomehow, it always boils down to the tripe that people are the problem. But blaming people conveniently overlooks the reality that an attacker capturing an entire password database is a problem with the organization.\tWhat's the problem we're trying to solve? Better, what's the problem we need to solve?\tPasswords are a factor of authentication. The problem is less with the factor than the overall system of authentication.\u00a0\tWhile people are part of the process, two additional elements are routinely overlooked. Focusing attention on improving all three elements yields better and more secure authentication - password or otherwise.\tThe 3 elements of a successful authentication system\tRecent password breaches showcase a stunning failure of organizations to properly implement and operate authentication systems.\u00a0\u00a0\tAttackers seeking access to systems and information focus on gaining credentials - regardless of the factors used (passwords, biometrics, etc). They exploit any opportunity in the chain to get what they want.\tImprove the entire system to reduce their chances, including the three critical elements of:\u00a0\t\t\timplementation\t\t\toperation and maintenance\t\t\tindividual usage\tAll three of these represent needed areas for discussion in the industry and improvement in the organization.\t1. Is the implementation secure?\tAuthentication systems must be implemented to withstand improvements in attacks. Often times, the path of least resistance -- and the largest gain -- comes from stealing the _entire_ database of credentials.\tThis requires thinking through the role and process of authentication. Bring the right team together, including external expertise, to consider and make documented choices about algorithms, methods, and configurations matched to the specific factor(s) and the importance of the systems and information they protect.\tHow does the authentication system withstand attacks on individuals as well as the implementation? The answer needs to explain how to reduce friction for intended users while increasing effort for attackers.\t2. Are credentials properly protected during operation?\tOnce implemented, how is the authentication system used and protected? In operation, how are individuals enrolled, credentials verified, and authentication factors protected?\tHow are resets and challenges handled? Does the current method of operation make it easier or harder for an attacker to gain access?\t3. How are people using the system?\tAuthentication is important because it is at the intersection of people, systems, and information. People need to be able to successfully use the authentication method in order to gain access. Ideally, attackers face a harder challenge.\tWhen it comes to passwords, we need to do a better job. I wrote about the real failure of passwords\u00a0here.\tEven with passwords, it's possible to explain the fundamentals in a functional way to any audience. This allows people, often for the first time, to actually understand how a password works.\u00a0 From that foundation, individuals learn and develop the capability to build, manage, and use better passwords.\tThe key to making it easier for people starts with designing and implementing a system matched to _their_ needs. Translate complexity into understanding to make necessary information accessible. The process takes time and often requires a skill set not generally found in security.\u00a0\tPeople need to learn how to use the system properly. Ending password reuse and improving overall password strength goes a long way toward making the job of an attacker harder.\tWhether passwords stay or go, improve the 3 elements now\tAny authentication system -- regardless of how many and which factors are used -- needs to be implemented properly, protected accordingly, and used successfully by people.\tNeglect any of those three and the system won't work. Blaming people doesn't fix it. When the next breach happens, consider the role the company had in implementing and protecting the credentials and authentication before suggesting the problem is people.\tWhile these three elements are independent of the factors selected, getting them right improves password authentication, too.\u00a0\tWhich begs a simple question: if password authentication were implemented and maintained better, how big a problem is it really?