In-Depth

Q&A: Why Strong User IDs and Passwords are Weak Security Measures

Why a username and password are no longer adequate to protect your enterprise's assets.

• By James E. Powell
• 10/27/2009

If you're using only a user identifier and password to allow access to your protected data, your enterprise is at risk. To learn why current standard practices are no longer sufficient and understand what vendors and IT departments need to do to keep data safe, we spoke with Bharat Nair, vice president of business development and marketing at Delfigo Security. Nair has over 19 years of experience in enterprise software management and operations; his career has included leadership and entrepreneurship spanning IT and operations in a variety of roles.

Enterprise Systems: What current standard authentication solutions is IT using today?

Bharat Nair: The majority of enterprises still use user ID and password as their only standard authentication criteria. Unfortunately, as we all know, this has brought along challenges with unauthorized and fraudulent access to applications with both employee and customer information getting into the wrong hands. With fraud on the increase, enterprises are finding themselves at risk of non-compliance to regulatory mandates that are applicable to their specific industry.

Recognizing the limitations of this standard approach to authentication, enterprises have implemented stronger authentication in the form of tokens, one-time passwords (OTP), and/or digital certificates. The challenge enterprise users’ face with these second-factor solutions is the need to carry external devices. Managing these devices gets very complex. For example, most large enterprises have a global presence. Ensuring tokens are distributed and managed through their lifecycle across the global workforce is no small task; users might forget or lose tokens while on the road. Without access to tokens, these employees are often unable to get system access, leading to increased IT help desk calls for bypass access.

The cost of ownership and the overall hassle in managing a token-based second-factor authentication are what make companies reluctant to adopt it.

Entering a username and a password has long been an accepted security technique. Why is it no longer sufficient to protect IT assets?

There are numerous reasons why this is no longer adequate in an enterprise environment. First, consider that most applications have “strong password” rules that are not a true measure of strengthened authentication. Instead, users have to remember complex passwords, so they write down or save their passwords on soft media. Ultimately, this scenario leads to fraudsters gaining access to user ID and passwords through stolen devices and other means.

The main challenge with this is that user IDs and passwords take a single factor into consideration when granting access to an individual. This is no longer adequate or sufficient in today’s networked environment. Authentication solutions must look beyond “what you know” and take into consideration “what you have” and “who you are” when authenticating and authorizing access.

For example, let’s say I successfully logged into my enterprise application using my user ID and password from my home office location in Boston around 5:00 pm. However, somehow my password was compromised and someone using my user ID and password attempts to access the system at 8:00 pm, but this time from a location in Asia. It is not humanly possible for me to have hopped on a plane and reached Asia in less than three hours to log in from a foreign IP location, yet the systems that rely only on a user ID and password are vulnerable because they have no intelligence and grant access anyway.

Given that example, what must security solutions incorporate to avoid this kind of scenario?

Authentication solutions need to become intelligent. Authentication platforms must assess multiple identity factors and be able to better understand the profile of users requesting access to a network or application. Enterprises must be able to protect their employees, digital assets, and intellectual property by enabling a role-based, layered approach to authentication and authorization -- no more all-in/all-out paradigm, no more risking the business with the “keys-to-the-kingdom” problem.

At the end of the day, the authentication platform must quickly and easily validate the user, not just the machine. An ideal approach would be looking at multiple factors to assess and authenticate a user, such as keystroke dynamics, cognitive science, system, and geospatial parameters, among others. Rather than individual factors, the authentication platform must be able to assess relationships between data elements. Using the Asia example again, if the authentication solution only looked at the user ID and password it could potentially result in fraud; however, an intelligent authentication platform would inherently associate the IP (geographic location) information with the date/time stamp and given prior access information, deny access. With the ever-increasing complexity and frequency of threats against corporate networks, enterprises must look beyond a simple user ID and password and incorporate intelligent authentication that can answer the three very simple -- but equally important -- questions: Are you who you say you are? If so, what will I allow you to do and where will I allow you to go?

Besides intelligence, what other key characteristics must these solutions have to be truly useful to an already overworked IT department?

The biggest challenge IT departments face with implementing strong authentication solutions is the increased requests to help desks. These range from simple password request changes, to user training, to addressing lost or stolen tokens. An intelligent authentication platform must be easy to use and should require no end-user training. That is paramount.

The authentication solution must also integrate with an existing IT infrastructure. Having been around large global enterprises for over two decades, I know these environments are heterogeneous no matter how much standardization has been implemented. An intelligent authentication solution must be able to work in such a setting without requiring point integrations and excessive customizations.

Until security solutions are updated with such intelligence, what can IT do to better protect its data?

There’s a lot IT can do in the interim. For starters, they can install and maintain a firewall configuration that protects their data. Second, it may seem obvious, but you should never use a vendor-supplied default password or a password that would be obvious to others who know you.

Anti-virus software should be updated regularly, and security systems and processes should be tested frequently. Even simple things such as having a security policy for your company, training employees on best security practices, and enforcing the practices will go a long way to protect your company from external and internal threats.

Are there industries that are particularly vulnerable or that need better authentication solutions?

Not really. Internet fraud, identity theft, and fraudulent access to online data do not spare any company or individual. Because these attacks are often automated and perpetrated without care or consideration of geographic boundaries, these attacks are constantly looking for and exploiting vulnerabilities across the internet. Considering the global nature of practically all businesses today, the vulnerabilities could exist in any location and can be introduced at any point by any number of individual situations.

Having said that, there are clearly highly regulated industries that are now mandated to provide for and enforce strong authentication solutions to better secure customer and employee information. These include health care, banking, insurance, e-commerce, manufacturing, utilities, and the public sector.

What products or services does Delfigo Security offer to secure data?

Delfigo’s intelligent authentication solution DSGateway is a zero-footprint authentication platform that helps enterprises achieve a higher level of secure authentication and authorization than previously available in the industry. DSGateway combines strong authentication with advanced cognitive capabilities to ensure that users are who they say they are and that they’re only granted access where allowed.