IDC Analyst Guest Blog : The Need for Modern Authentication

The use of the password as an instrument of authentication has outlived its usefulness. The era of the password has passed. How did IDC come to this conclusion? It is simple really.

IDC would point to common "best practice: password hygiene.” Common password hygiene generally entails the following:

1. Use a unique password for every account; reuse is not allowed. The compromise of one password will then not affect all accounts.
2. Don't share passwords with others. The only way to ensure security is to keep passwords private.
3. Use long passwords; longer is better. Eight characters are generally accepted as the minimum length, but many advocate passwords as long as 14 characters. Opting for a passphrase is a viable way to accomplish this.
4. Actively avoid common, known, or "dictionary" words. Choices such as 12345678, password, Password1, or qwerty are definite no-nos. Options that may be personally identifiable such as name, email address, birthday, or phone number should be avoided as well.
5. Include capital letters, numbers, and special characters (like $, @, or !) to dramatically increase the complexity and thus the strength of your password.
6. If you use the special character substitution approach, avoid the common approaches of replacing letters with standard character replacements such as p@ssword or pas$$word.
7. Change your passwords frequently. Most experts advocate quarterly or monthly replacement regimes. Again, avoid common patterns like passwords created in January ending in "1," passwords created in February ending in "2," and so forth.
8. Don't write passwords down; if they are written down, the documentation should not be somewhere expected like attached to your computer or wallet.

The issue continually being failed with common "best practices" for password hygiene is that the expectations are completely unrealistic. They are as mythical as unicorns and Bigfoot. For example, the expectation of practicing good password hygiene with over 100 individual accounts is absurd. Individuals may exist that have such capacity; it would be challenging to meet one that is both willing and able.

Technology has changed. Connectivity has been dramatically improved. Mobility and cloud have dramatically increased the number of use cases for authentication. So, our definition of, and expectations for, authentication also must change. Technology buyers are strongly encouraged to look beyond passwords and consider a modern approach.

Modern authentication has the following primary attributes:

• Modern User Experience—Today's users have a higher user experience expectation than in the past. User experience is about leveraging the spectrum of technology and context available to take the burden of authentication burden back from the end user. Thus, end users are empowered to participate. Choice of challenges must be a fundamental component.
• Authentication Appropriate to the Risk Mitigated—Authentication has far too long been thought of as a binary event (authenticated versus not authenticated). Modern authentication changes the view of authentication from a binary event (authenticated or not authenticated) to viewing authentication as a risk score. The activity that a user is performing has a measured level of risk. The key issue is to consider the risk to be mitigated and then apply authentication challenges in layers to appropriately mitigate that risk.
• Solution--First and foremost, modern authentication solutions need to be appropriately designed, installed, and configured to solve the use case that the solution is looking to address. Modern authentication, thus, must provide broad coverage and application diversity, which is where many organizations and solution providers stumble.
• Invisible Authentication Whenever Possible--The same technology that makes authentication use cases challenging also needs to be leveraged to make authentication stronger. Risk-based authentication needs to be a fundamental component of modern authentication. Attributes that can be measured include IP address (location and reputation), GPS location, device health, and known device attributes.

Let's face the fact. Passwords were invented over 50 years ago. It is no wonder that despite the sophisticated security measures enterprises are putting in place, something as fundamentally simple as a password is tripping us up. The time has come for a modern approach to authentication. The technology is already here and, in most cases, ready to deploy.