The computer account password as an identity management (IDM) tool has been around since the mainframe era, and for many years, passwords offered sufficient security and were a decent identity management technique for the time.
The password may be everywhere, but that doesn't mean it's the best security solution.
Passwords are less secure than they used to be due to hacking techniques and the sheer brute force power of password cracking algorithms. So now, we have to have strong passwords, unique ones for every platform, and we're expected to keep them in our brains, though they shouldn't be easy to remember. When we're required to change passwords regularly and aren't allowed to reuse old ones, it's no mystery why people resort to writing them down.
More than two-thirds of security professionals think usernames and passwords are insufficient for secure identity management, and nearly three-quarters envision passwords being phased out within a decade. Fraud and account takeovers are major concerns of companies of all types and sizes, yet many people still use passwords that can often be cracked in seconds. A dictionary word with a number appended might take an hour for a hacker to crack. Fortunately, stronger identity management solutions exist.
Single Sign-On Identity Management
Single sign-on IDM is paradoxical because it can provide both enhanced security and easier access for authorized individuals. Users do not have to remember and type in multiple user IDs and passwords. With user identity data stored in one place, the single sign-on technique allows users to have strong passwords without having to record them anywhere, because they can access all applications for which they are authorized with a single, master password. Single sign-on can reduce IT maintenance costs and increase productivity while making the end-user experience better.
Multifactor Authentication for Added Security
Biometric attributes can be part of a multifactor authentication strategy.
But single sign-on isn't perfect. If there is a "master" login for each authorized user, and that master login information is compromised, a rogue actor could gain access to multiple applications and databases. Multifactor authentication combined with single sign-on technology can strengthen single sign-on. Multifactor authentication simply means that more than one criterion must be fulfilled to gain access to an app or system. The combination of credentials could be a password plus a card with a magnetic strip, a PIN plus a code sent to a phone, or any number of other combinations.
Account reconciliation is more of a behind-the-scenes activity, but it's still important to identity management, particularly where passwords are still relied upon. Account reconciliation is the process of reconciling existing accounts to specific users. This allows for the discovery of "orphan" accounts, and can create a good starting point for determining who should have access to which resources. Account reconciliation may correlate accounts with users based on attributes like username, email address, or phone number, and it is an essential component of good identity management "hygiene."
In a decade, the concept of the password may seem quaint and outmoded. Indeed, many organizations are already going beyond the simple password to incorporate single sign-on, multifactor authentication, and other more secure methods of granting access to resources. Organizations that make the effort to strengthen security can expect to reduce costs, experience fewer security breaches, achieve better compliance with industry or government security regulations, and make the end-user experience better for employees. The time to implement robust identity management is before a security breach occurs, and it's important not to have a false sense of security just because passwords have never been compromised before.
What are some identity management problems or issues your organization faces? Let us know your thoughts in the Comments box below.
And to follow-through on the tips introduced in this short article, be sure to download your free Financial Services CIO Guide to IT Security and Identity Management.