Bill Burr, the author of the National Institute of Standards and Technology (NIST) password standards in 2003 (NIST SP 800-63), conceded in an interview with The Wall Street Journal in 2017 that the password paradigm he designed was a failure (Robert McMillan, “The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!” Aug. 7, 2017, https://on.wsj.com/31M0mi7). The requirements of 8–20 characters, one uppercase letter, one lowercase letter, one special character, not matching the username, not repeating passwords, and changing the password every 30/60/90 days have not only failed to secure user environments; they have led to practices that help bad actors acquire access to the very systems and data that need to be secured.
Companies spend hundreds of millions of dollars each year on identification and access management (ID&AM) programs, yet the return on these investments is, for all intents and purposes, zero. With 81% of all cyberattacks occurring as the result of employee action or inaction, it is time to reexamine the entire approach to ID verification, validation, and security.
Consider the following:
- Almost 20% of corporate work areas have passwords written down in clear text and in plain sight.
- One of the most frequent vectors of attack is the theft of credentials, usually via phishing. (There is a great video circulating the web of a “news reporter” interviewing millennials about their password security; the interviewer successfully gets the passwords for 10 people just by asking social questions.)
- Passwords are hard to remember, and everyone who uses passwords tends to use the same passwords or password methods over and over.
- Bad actors now have enough data on people’s behavior to often accurately predict how people will structure their passwords and use that knowledge to breach multiple accounts tied to that user.
During a recent CheckPoint webinar on 2019 Cyber Security Threat Predictions, the speaker told the story of how Apple employees in Ireland were being offered €20,000 to sell their credentials to others. Meanwhile, Forrester Research estimates the average cost of a password reset to be $70, and that across all industries, companies average 1.4 password resets (when NIST SP 800-63 is followed) per user per year. Per Gartner, that accounts for between 30% and 40% of help desk volume annually.
The situation is not that much better in organizations that fully implement a multifactor authentication (MFA) solution. MFA is fine, but when the weakest link is the password itself, even those environments are prone to be vulnerable.
The Alternative: Biometrics
Fortunately, there are solutions. The Department of Defense–based Common Access Card (CAC), personal identity verification (PIV), and PIV-interoperable (PIV-I) standards are among those that support biometric verification and eliminate the need for passwords. These standards support—
- logon authentication, including single sign-on;
- physical access authentication; and
- application authentication via application programming interfaces (API), software development kits (SDK), and single sign-on support.
These biometric standards work on a two-factor authentication model. First, an employee is issued an ID card with a gold chip embedded. The chip contains encoded information that matches the identity of the person whose photograph and name appear on the card. This encoded information is based upon a predefined set of standards, including fingerprints, background checks, and retina scans. In addition, the chip holds critical certificates; typically, the chip will have a digital signature certificate (used by e-mail systems to certify that the sender is actually who he claims to be) and SHA-256 based encryption keys (used to encrypt and decrypt secured data).
These cards must be placed into a human interface device (HID) compliant reader that is either attached or built into the desktop/laptop/mobile device. The card is read by the system, and the user must enter a challenge key. The challenge key is either the card’s personal identification number (PIN) or a onetime token sent to the user’s registered device (i.e., a cell phone).
Biometric standards have a “failed attempt” safety net. Typically, after five failed tries, the middleware that handles the biometric card will physically disable the card. At that point, even if the bad actor gains access to the correct PIN or challenge key, the card will no longer work anywhere, and access will be denied.
Costs and Downsides
A full implementation of biometric security, from both a logical access and a physical access perspective, will cost approximately $300 per person upon purchase and $30 per person per year thereafter for six years. At the same time, however, there are large cost savings that emerge from moving away from passwords. On average, an organization will see a 42-month payback period and go cash flow positive during the fifth year after purchase. In organizations with more complex ID&AM systems, the pay-back period will be even shorter.
The Exhibit contains a pro forma financial analysis for a 2,000-seat implementation of PIV-I for both physical access control systems (PACS) and logical access control systems (LACS).
Cost-Payback Analysis for PIV-l Implementation
As with any security system, the biggest downside is complacency. Going biometric is not a panacea and does not guarantee that an organization cannot be hacked. It does, however, significantly reduce the chance of compromise from the business as usual (BAU) scenario. The organization also will have to make changes; any existing password audit team will need to be redeployed, and help desk staffing levels could see decreases of 30–40%. Comprehensive password management systems and self-service password reset systems, if used, will have to be uninstalled. Employees who lose or forget their bio-metric cards will be unable to work until they either find or replace those cards. Guest access will be a thing of the past.
Real Protection Is Needed
Passwords do not work, and the continued use of passwords in the corporate world is costing business billions of dollars. It is time to try something that actually protects critical infrastructure.