What NIST Missed: The value of password management + SSO + strong authentication
The National Institute of Standards and Technology (NIST) recently put out a draft “Guide to Enterprise Password Management” for public comment for feedback and improvement. While it gives a lesson in password management history, it doesn’t quite break new grounds on prescriptive opinion.
Dave Kearns provided useful analysis of the NIST paper in his recent Managing Passwords article on Network World, and a couple of nuggets of wisdom jumped out at me:
- To their credit, the authors immediately add “…organizations should make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication for resources with higher security needs.” If I were editing, I’d remove that last phrase (“for resources with higher security needs”).
- Username/password as sole authentication method needs to go away, and go away now. Especially for the enterprise but, really, for everyone. As more and more of our personal data, private data, and economically valuable data moves out into “the cloud” it becomes absolutely necessary to provide stronger methods of identification. The sooner, the better.
The only way to improve usability and security of password management today is to combine it with single sign-on and multi-factor authentication, as Dave stated in his piece. Dave’s article made me think a bit more about the NIST paper and the intersection of SSO and strong authentication, and here are some of my observations:
- Workflow Trumps Security: No matter how much security folks put ‘best practices’ in place for security (and managing passwords, specifically), they must mesh with the needs of the business. Users won’t embrace policies and best practices unless they are easy to adopt and don’t interrupt their daily workflow.
- Where’s the Business Value: We frequently hear of high-valued users who feel their job is to get the job done (trading, saving lives) rather than dealing with the mechanics of entering passwords. Mandating a longer and more complex password is great from a theoretical point of view if you log into an application once per day, but not so much if you have to repetitively access the same application multiple times each hour.
- No More Passwords Please: The most effective solution to dealing with password management issues today is to combine stronger user authentication with a system for automating them and leveraging the maximum strength within the passwords – i.e., SSO coupled with the use of opaque (unknown to the users) passwords. This gives you the best of both worlds.
- Automate the Logon Where Possible: Direct injection of the passwords into forms mitigates the ability for keyboard loggers to sniff and record the password and log-in sequence so you can close that potential vulnerability gap.
- Leverage Strong Authentication Options: There are still many people that believe passwords are an inexpensive option for authentication, however today’s strong auth solutions are far more cost-effective, easier to deploy and maintain than they were just a few years ago and more importantly we see higher user adoption.
So the value of password management + SSO + strong authentication is increasing in acknowledgment. Among our customer base at Imprivata 75-80 percent of customers are using one or more form of strong authentication with SSO. We rarely encounter a new deal that does not include strong authentication, and many of our customers prefer to deploy a variety of modalities (finger biometrics, tokens, proximity cards) that they can tie to the security level of the data being accessed by a given user. In fact, now strong authentication is often the driver of a deal, and SSO is pulled through.
--Dave