I can still clearly remember being a child and playing cops and robbers with the other neighborhood kids. There was an interesting aspect of this game that, surprisingly, continues to be a relevant topic for security professionals in 2020, and that aspect is that even children understand basic identity and access management. For instance, when the kids playing cops would try to sneak into the robbers’ hideout, which was usually one of the neighborhood parents’ garages, we would knock on a door and someone would ask “What’s the password?”
This is interesting to me because even as children we understood that it is important to establish identity first before trusting someone for access to our hideout. I can remember playing on the team of the robbers in our cops and robbers game and making sure my fellow bandits also knew to ask first who was at the door then ask for the password. Considering that I am discussing a child’s game, I can assert that identity authentication is instinctive for all humans. So why is it that users of our networks struggle so much with maintaining and safeguarding the passwords for their credentials?
Please allow me to give you some food for thought on the subject. First, we can always come back to the threat. As the ability to break passwords has improved, we have required our users to come up with increasing complexity for their passwords. I can remember at one point in my career having to enforce a minimum 15-character passwords that required two upper case letters, two symbols, and two numbers and the password could not be a dictionary word – maintaining these complex passwords proved too difficult for most users.
A second factor users struggle with is the password lifecycle. I have seen password cycles that require the users to change their passwords every 60 days or 90 days coupled with the restriction that the user cannot use any of their previous twelve passwords. This is also cumbersome for people to maintain. To cope with these difficult requirements, most users either write down their passwords and keep them someplace close to their computers or they simply change the password they use by only one or two characters each time they reset their password. Both of these practices are obviously very bad and make the password essentially useless as a security mechanism for validating identity.
Getting back to our childhood game of cops and robbers, often the kids playing on the cops’ team would set up a fake hideout that looked very close to the real one, or they would sneak into the robbers’ hideout when they were not in it. This was not to catch one or two robbers. When playing the cops in this game we did this so we could wait for a robber to come to the door, and when the robber would knock we would ask who they were and what the password was in order for us to now have the keys to get into the actual robbers’ hideout and catch all of the robbers. Password users are often tricked into giving out their credentials in the same manner through fake websites that mimic legitimate business sites they use every day. Clearly, IT people are aware of the struggles users face and of the problems with safeguarding passwords for authentications, which leads to the obvious question.
Why, then, do we still rely on such an unreliable mechanism for validating something so important? The answer to this question is pretty simple. Moving beyond the password can often be a Herculean effort. It can be costly, difficult to implement, and a massive culture change for organizations. I argue, however, that much of the difficulty in moving away from passwords is perception and not reality. I am not stating that managing identity as an architecture is easy, but it is manageable and not as expensive as one would think.
I have found that many IT organizations, if they do any identity management at all, will implement two-factor authentication/multi-factor authentication (2FA/MFA) only on the remote access points or cloud services, but not on the organizations’ computers. I have also seen where IT staff find themselves limited to working with legacy systems that are vital to the business and these critical systems will not support 2FA/MFA. Such legacy systems can be a limiting factor when trying to get the right combination of identity validation technologies, but it is possible.
Therefore, let’s demystify identity architecture a bit. In order to properly identify users, we need to have:
- an authoritative source of identity,
- an authentication mechanism, and
- a way to validate that the authentication mechanism is in fact legitimate.
I will admit this oversimplifies identity management a bit, but I would stand behind this statement as the essential nuts and bolts of managing identity. To address these basic ideas, consider the following possible ways to improve identity verification:
Use native capabilities built into the Windows environment
This only applies to Windows computers and Windows networks. IT can cost effectively use tokens that emulate smart cards and use either smart card authentication or leverage built in Microsoft “Hello” for access to the computers themselves. While passwords maybe needed to access certain systems, using a 2FA to secure the computer is about the same as locking the front door. For most, the computer is the first point of access.
Use a combination of 2FA to the computer and leveraging native MFA on the cloud platforms
In 2020 most organizations probably use Microsoft365 or Google Cloud services. If so, consider using the aforementioned method to access the desktop environment and enabling an MFA policy for connection to the cloud.
Use an enterprise password vault
These solutions allows the users to authenticate to a vault and simply checkout the passwords they need for access to applications; which could include legacy systems. When considering a password vault make sure the chosen solution will either support domain or SAML authentication and that it provides secure 2FAMFA enforced access to vaults that store passwords for the users.
IDaaS is definitely the easy button. If the organization has the funding, using this type of solution maybe preferred for improving authentication security. When selecting the solution, take care to consider how you see users gaining access to their computers, cloud services, webmail, and legacy applications.
I may be oversimplifying user identity management. Therefore, I will acknowledge there is quite a bit of complexity under the hood for these architectures. This being stated, I will close with how you might communicate the benefits of implementing these changes in simple terms to obtain the greatest level of buy-in from the organization. First, if you choose the right 2FA/MFA solution, users may not have passwords at all or may never have the changed the passwords they have. Second, you have the opportunity to make life harder for bad actors by making stolen passwords effectively useless. Finally, if you implement the right approach, the login options for your users will look so different from the fake sites attackers use to steal credentials that you will greatly reduce the risk of users falling for fake credential harvesting sites.