Passwords are the worst. Infamous, ubiquitous, we just can't seem to get them right. Meanwhile, the risks and repercussions for getting them wrong are getting out of hand. According to the Verizon "2021 Data Breach Investigations Report," 61% of breaches involve credentials. Despite guaranteed user frustration and the security risks involved, passwords remain our default method for authentication and often the sole authentication method for enterprise systems and applications. This raises the question — why are we stuck securing access with methods users hate and hackers love?
Three major authentication categories are trying to pick up the slack: Password managers, single sign-on (SSO), and multifactor authentication (MFA). Each category offers its own methodology and unique set of benefits — and drawbacks — to users.
One Password to Rule Them All
Password managers claim to do it all; they generate, store, and autofill passwords for users who need only remember one master password. This methodology tackles the main drivers of human error in authentication, including our inclination for short, weak, or patternized passwords and our tendency to reuse them. To these ends, password managers can dramatically improve password hygiene and streamline login experiences.
Unfortunately, password managers are not effective authentication tools for larger user bases, like enterprises. Though they market themselves as a means of controlling employee password generation and use, they lack enforcement. Password managers cannot control how employees create and interact with each password — only nudge them in the right direction if and when they choose.
Improper use and enforcement of password managers also muddle true visibility into an environment's application inventory; resulting gaps for accounts not secured by a password manager are leading to an unknown number of missed detects. In contrast, the use of enterprise password managers for personal accounts requires security analysts to waste valuable time sifting through false alarms.
MFA and SSO Integration
Security Assertion Markup Language (SAML) is the current gold standard SSO solution for access governance, especially for securing the growing use of enterprise applications. This type of service allows users to log in to multiple accounts with a single set of credentials. Unfortunately, many enterprises have difficulty enjoying SSO’s full potential, as most have only integrated a fraction of their application portfolio into their identity provider. They offer few IAM solutions for the prevalence of shadow accounts and are considerably pricier after accounting for the operative overhead of SSO onboarding and the costs associated with licensing.
Like SSO, MFA solutions cannot offer full coverage to enterprises in practice. The critical time understaffed security teams might gain from employing these solutions can quickly feed into the manual tasks required to keep them relevant. To underscore the importance of time, consider how enterprises adopt an average of 15 applications per month while only onboarding four to their SSO providers, leaving a considerable backlog of almost 10 applications without protection every month.
Lesser-Evil Strategy Is Risky
Passwords are unavoidable for now, and there is too much at risk to rely on the false dichotomy that any password security tool is better than nothing. This cannot be sustained if password solutions fail to offset the risk they introduce or annoy users into breaking policy to remain productive. Unfortunately, the authentication space is still waiting for better alternatives to displace current methods. Until then, security professionals must find a way to glean as much value and security from these methods with as little manual effort as possible.
Gaining visibility into application inventories is the first critical step toward holding out for better IAM solutions and taking back control of an enterprise’s password security. Every single account connected to an enterprise environment represents significant risk and should be treated as such; an application with one user login can be just as risky as another with hundreds.
However, security professionals will be overwhelmed by what they see. True account visibility will yield hundreds, if not thousands, of results — a scope well beyond even the best-equipped security teams. This means that prioritization is the second most critical step to approaching the Sisyphean task of comprehensive security. Categorizing risk in such circumstances can help make sense of how to best allocate time and resources for password security. Data-driven analysis can and should help predict the impact or likelihood of breach across these risk categories to inform decision-making.
Finally, the cybersecurity industry must collectively find new and better ways to hold the fort until we make it to passwordless paradise. We find ourselves in an era where business applications are increasingly self-service to maximize agile adoption. If it is infeasible to act on every password vulnerability across user accounts, organizations must instead learn to shift the paradigm of access to business applications toward self-governance.