Ayaaz Janmohamed and Matthew Todd manage IT operations in two very different environments, but their identity and access management challenges aren't different at all.
Janmohamed, IT infrastructure manager for the City of Edmonton Police Service in Alberta, Canada, worries that online outlaws could access electronically stored information on suspects, victims and police officers and put everyone's safety at risk. Todd, CISO and VP of risk and technical operations for Palo Alto, Calif.-based Financial Engines Inc., worries that someone with unauthorized access could steal investors' sensitive financial data and use it for identity fraud and other crimes.
Both have invested plenty of time, money and energy to keep these scenarios from ever happening. And along the way, both have determined that
"The urgency of people getting information is such that people put passwords on a sticky note, or several people try to share passwords on one machine, and so accountability is tossed out," Janmohamed said. Plus many organizations allow employees to choose simplistic passwords that attackers can easily crack, and if an employee needs multiple passwords to access different applications, the problem is exacerbated.
Janmohamed and Todd are not alone. A majority of 358 IT professionals who took a SearchSecurity.com survey on identity and access management in April said passwords are obsolete and want to replace them with stronger methods that include two-factor authentication and single sign-on.
Respondents are also looking to replace traditional passwords with tools like tokens and smart cards.
"Whatever we can do to reduce the number of passwords will help us reduce the human impact," Todd said. "Fewer passwords mean fewer opportunities for things to go wrong."
By the numbers
The drumbeat against passwords has grown louder in recent months. Even Microsoft Chairman Bill Gates has called for their demise.
That mood is clearly reflected in the survey responses.
- About 74% said their users must remember too many passwords, and 63% said coping with multiple
password policies is a problem or a significant problem.
- More than 56% said they're handling too many password resets.
- 79% said their organizations are spending the same or more on password management this year.
Spending on authentication alternatives is also steady or on the increase at many organizations.
- Sixty-four percent said they are spending the same or more on authentication tokens.
- Seventy-six percent are spending the same or more on digital certificates and nearly 50% say
they're spending the same or more on smart cards.
- Seventy percent are spending the same or more on enterprise single sign-on and 63% are spending
the same or more on Web single sign-on.
Spending has declined though in some areas.
- Fewer are investing in biometrics as an alternative. Just 39% of respondents said they will
spend the same or more on biometrics this year, and more than 56% said they're not spending on the
technology at all.
- There is also less spending on federated ID management, with 47% saying they're spending the
same or more on federation ID management and 48% saying they're not spending at all.
From passwords to PINs and tokens
Janmohamed plans to move beyond his organization's current password system toward one that relies on two-factor authentication and enterprise single sign-on.
"We hope to marry up [Microsoft] Active Directory and PKI to create a single sign-on process," he said. This way, the network won't prompt for a full username and password. Instead, he said, it will prompt each user for a PIN and token, and the token will have to be in the machine for the user to get access.
Until then, the police force is taking other measures to reduce the likelihood of password-inspired security problems. If there's no activity on a user's computer for 15 minutes, for example, the user must log back in so that passers by can't walk up to the machine and help themselves.
Itching to federate
For Financial Engines, stronger authentication is also necessary for the company's plans to share applications with business partners through federated ID management, Todd said.
More than 40% of survey respondents said giving partners and suppliers access to their systems would enable a more efficient supply chain process. But for this to work, Todd said, companies must have total confidence that their partners are using ironclad authentication methods. In this regard, most organizations no longer trust the password system people have been using for the last 20-plus years.
For that reason, among others, federation ID management's push toward the mainstream has been slow.
"It's a huge challenge," Todd said. "We have data for millions of people that is sensitive. We are dealing with vast companies not used to smaller companies like us. So it's a bit of a battle getting the bigger guys to federate with a smaller company. We're a tugboat trying to steer the aircraft carrier in another direction."
Cultural change inevitable
While federated ID is a long-term goal, Todd outlined steps the company is already taking to strengthen authentication, which include rolling out SecureID from Bedford, Mass.-based RSA Security Inc. That may be key to getting rid of traditional passwords in the future. But there will probably be some hiccups early on.
"If we replaced the Windows password with a SecurID PIN code, cultural challenges would be involved," he said. "It would be much stronger than passwords but there would of course be some resistance to change."
While some might resist when change ultimately arrives, Todd said, eventually everyone would adjust to life without passwords. To get there though, department heads must be on the same page.
"Anything you do with access control, it's all about mitigating risks to the business, so when I implement sweeping change, team leaders are involved," Todd said. "There may be early grumbles, but eventually everyone adjusts."
Stronger authentication no longer a choice
A move beyond traditional passwords isn't really a choice for companies anymore, especially those doing business online. In fact, financial firms are being required to have two-factor authentication by the Federal Financial Institutions Examination Council (FFIEC).
For that reason, two-factor authentication with a single sign-on capability is priority one for Keith Gosselin, IT officer for Biddeford Savings Bank in Biddeford, Maine. It's a change he's not complaining about.
"Passwords are simply not enough anymore," he said.
This article originally appeared on SearchSecurity.com.