Billions and Billions Served used to be the number of burgers served up by McDonald’s, but in the last couple of years it has become a pretty accurate tag line for user credentials. The stats here are essentially irrefutable.
2/3 of account take-overs result from exploiting weak or stolen credentials.
Billions of credentials have been stolen from multitudes of on-line services.
61% of credentials are reused across multiple services.
Can we be honest here? ID’s and Passwords alone are not secure for your employees, your suppliers, your contractors, or your customers. The risk landscape for ID & Password protection includes about 10 billion end points and every interconnected network on the planet.
If you have any Health Information, Personally Identifiable Information (PII), Financial Information, or anything else worth protecting, ID’s and Passwords won’t cut it.
I have talked with dozens and dozens of IT Security professionals and not one has argued otherwise.
So why do we still deliver services with ID and Password security alone? There are a couple of reasons:
First, as much as we would all love to get rid of them, ID and Passwords are here to stay simply because there is no ubiquitous alternative, and even if there was, no company in their right mind would tell all their customers to switch to some new wiz-bang secure authentication method or else the company will no longer want their business.
Second, Enhanced Authentication is a touchy topic – especially when it comes to customer facing services. The concept of improving customer or even employee facing logins has been fraught with all kinds of issues: Expensive Key Fobs, horrible user experiences, super complicated integration, extremely high cost of operations and management, band image issues and finally support issues. One recent client I talked with said they were considering a two-factor solution for their customer facing services, then realized there was no way to force their customers to use it, then realized that making the enhancement Opt-In essentially would communicate to their customers that there service was NOT SECURE unless their users opted-in. Enhanced authentication is often times so fraught with issues that the topic is just shelved.
But this is not a topic that should be shelved. You can have all the best security software and education in the world to stop phishing attacks, but if your user credentials are already known, it doesn’t really matter. It would be great if we could force all our users to change their passwords every few weeks, or use super complicated and long passwords, but that clearly doesn’t fly, or everyone would be doing it.
At the same time, if anyone in the world can access our online accounts with a stolen or weak credential, we are trending to be found “willfully neglectful” if nothing is done.
So what is to be done?
Have a look at adaptive multi-factor. Adaptive multi-factor is invisible to end users but reduces the threat landscape down from 10 billion devices on every network in the world to just a couple of approved devices in just a few locations, and can curtail access further by certain time limits and/or various user specific application behaviors. The reason Multi-Factor is so great is because it takes away the two most important assets the hacking community has on their side of the equation: Time and Change. Think about it. One of the worst places you can be in security is a situation where an attacker has an attack surface that doesn’t change and where the attacker has unlimited time to figure things out. Adaptive multi-factor, takes these off the table, and thereby takes what we call the Data Breach Free-For-All off the table. (The Data Breach Free-For-All says if I have a stolen or weak credential, I can just login.)
Adaptive Multi-Factor can be tailored and tuned for any transaction (Login and Post Login), and provides a simple single source to manage any number of security policies for the organization.
Clearly, Adaptive Multi-Factor has carried with it a connotation of “Expensive, Bloated, Complicated and Inflexible”. To be sure we hear these complaints all the time from companies that have tried to implement Adaptive Multi-Factor with other solutions. BUT these connotations are no longer accurate. The new adjectives for AMFA would be better listed as: “Easy, Cost Effective, Invisible, Simple, Straightforward, Powerful, & Flexible”.
Adaptive Multi-Factor is worth a look!