+
EDITOR’S QUESTION
RICHARD MEEUS, SECURITY
TECHNOLOGY AND STRATEGY
DIRECTOR, EMEA AT AKAMAI
///////////////////
F
undamentally, passwords suck. They
have been a thorn in the side of IT
professionals for decades, from when
40% of a helpdesk’s time was spent helping
users change their passwords, to poor advice
in asking users to update their password
every 90 days, and make it really complex –
every single time.
The fact that passwords are so ubiquitous
and seen as the default mechanism for user
authentication means they are often used
without considering the wider picture. This
is evident in our public health service, where
a myriad of systems with different accounts
creates significant delays when staff need
to login. Single Sign On (SSO), a technology
that’s been around for many years, is being
used to try and address this delay. But,
if it still revolves around a username and
password, then staff are still tasked with
remembering a complex password.
The NHS (in the UK) is looking to adopt
Multi-Factor Authentication (MFA) – a
process that’s more secure as it only grants
a user access once they present two or
more pieces of evidence. Users can prove
their identity by passing a combination of
verification stages, providing something
they know, something they have, or
something they are. As a result, we’re
now able to take this to the stage where
a password is no longer necessary – users
could sign-on with something they ‘have’,
such as a hardware token, and something
they ‘are’, using their fingerprint.
We have adopted this internally here at
Akamai and we use a combination of push
authentication to mobile devices, along with
certificates on company laptops to provide a
password-less experience.
Moving away from passwords, or at least
complementing them with another factor
of authentication, is important considering
www.intelligentcio.com
the volume of data breaches we witness on
a daily basis.
As users, we’re fundamentally lazy and will
often reuse passwords across many sites.
Witness the recent ‘attacks’ on two high
street retailers, where stolen usernames and
passwords from previous breaches were used
to perform an Account Takeover (ATO), where
the criminals seek to monetise whatever is
within the account – normally in the form of
cashing out on vouchers or gift cards.
The fact they were both high street retailers
with significant online business adds interest
from an attacker’s perspective. Normally a
‘credential stuffer’, somebody who takes
these breached usernames and passwords
and tries to find ones that work on a new
site, can expect a 1–2% hit rate.
If these cybercriminals target the same
verticals, the hit rate can be significantly
higher. If one were to do a Venn diagram
of the users at both stores, there would be
a high probability of significant overlap –
ensuring the attackers get more bang for
their buck.
For businesses, reducing passwords,
implementing SSO and adding MFA is
an important step. However, if that can’t
be done, due to lower IT management
budgets or the operational nature of the
business, then password managers are
essential to ensure good, random, unique
passwords are utilised.
INTELLIGENTCIO
27