Compromised Credentials: Continued relevance for the next half century?
- 08 June, 2016 16:42
Compromised credentials are the bane of IT leader’s existence. They continue to cause havoc, as headlines and leaders clearly expect. In short, compromised credentials create a number of problems for almost every organization in existence, no matter where they are in the world. According to a recent survey, 65 percent of respondents said they believed their organization would experience a security breach at some point. The culprit appears to be one of the oldest issues out there – compromised credentials.
Passwords date back to MIT in the 1960s. They were designed to control timesharing in its computer lab. Students there quickly realized that they could find ways around them, to gain more time to access the system so they could use it for research in an unlimited fashion. Their use has evolved, of course. They’ve become more complex, their responsibilities have grown and they are relied upon for much more. They are much more than a time tracker tool. Now going around passwords is for nefarious purposes.
Finally, though, it seems that now, more than 50 years later, were beginning to figure out some methods to resolve this issue once and for all. There are many security projects going on today that are the latest iteration, with biometrics seemingly leading the way. One of these methods is the adoption of fingerprint scanners on smartphones. This technology is becoming ubiquitous and can be done on mobile devices, with a PIN code failover. It stands to reason that this technology will be more readily adopted via fingerprint scanners embedded in keyboards and laptops, if the cost and availability were more reasonable.
Other technologies include facial recognition with Windows 10, and additional technology in development by Amazon. While Windows “Hello” requires a special camera that is just now starting to become prevalent in the marketplace, Amazon’s technology will utilize a standard webcam will likely require an iteration of photos where the user changes facial expressions (smile, blink, etc.) to verify them more securely.
Another technology that holds tremendous premise is biometric technology that evaluates the way a user interacts with their keyboard, mouse and smartphone. This method is called keystroke dynamics, and is part of behavioral biometrics. The technology can be utilized not only as a pass/fail threshold test when a user logs in, but can also constantly assess the user’s pattern while utilizing the computer or smartphone.
Behavioral biometrics can potentially alleviate two concerns. This method becomes a second factor of authentication upon login, but can also force a re-validation should something change during the work day. Let’s say a user gets up from their desk for a quick break but fails to lock the screen, another individual can easily walk up to the machine and access their sensitive data. The keystroke biometrics application detects the change in user based on how they are interacting with the computer and immediately ask the person to re-enter their credentials. Another, a third, factor can also be added as part of this revalidation process and require the entry of a PIN that has been delivered via SMS or a smartphone application.
Other options for securing the network from compromised credentials also are available and are even less intrusive to end users. These methods, though, are best utilized in combination with another technology other than passwords. These technologies involve restrictions on who can access the network and from where, and can be useful in mitigating risk from the outside hacker, but do little to prevent an insider from wreaking havoc. Time of day restrictions are one step – limiting when someone can access their machine based on their normal usage patterns. Another step is IP limiting – only allowing usage to sensitive applications and data if the IP origin is within a specific range. Geo-fencing is another option and restricts users based on location range of either the main office or their home for example.
Regardless if one or many of the technologies are ultimately adopted, organizations must move in the direction of securing user credentials beyond the simple user name and password. If not, security breaches because of compromised credentials will continue to occur and this topic will remain very relevant for another 50 years.
Dean Wiech is managing director of Tools4ever, a provider of access and identity governance solutions.