Recently, LastPass partnered with Twit.TV to dive into the state of authentication and identity during an event entitled Cybersecurity and Identity Trends, Unlocked. Leo Laporte, William ‘Ches’ Cheswick, Steve Gibson, and I spent an hour discussing the future of authentication, if we can ever really rid ourselves of passwords, and the impact of biometrics on security practices.
Here are my top three take-aways from our discussion. To watch the full live show, visit https://twit.tv/shows/twit-news/episodes/347?autostart=false.
Passwords have not changed, so we must
Since the first computer model, computers have relied on people to provide a username and password to gain access.
At the time of that first computer, this was probably a decent system as we only had one or two logins so could rely on our memory for our passwords. However, as the number of passwords and risk of cyberattacks increased over the years, we’ve learned that memory (or even a notepad) is not a sufficient or secure means for keeping track of our login credentials.
Therefore, we must not ask the computer to change its username and password model, but instead change the way that we interact with it.
One way to change how we interact with the system is by using single sign-on (SSO) technology. With single sign-on, we can provide simplified access to applications that end-users interact with every day, such as HR systems or expense reports. Leveraging this technology allows employees to reduce the number of passwords that they must remember or update. Another method is to use password management technology. With a password manager, we can minimize the need for users to remember passwords that fall outside of work-wide single sign-on applications, such as blog sites or personal banking logins.
Using single sign-on or password management to help users keep their passwords secure is required for a strong security posture. Computers may not have adapted past username and password, but we can still ensure that our users are managing their logins securely.
User ease-of-use is essential
All of us on the panel agreed that end-user ease-of-use is a top priority for an identity or authentication solution.
When it comes to cybersecurity, you’re only as secure as your weakest link. Most of the time, this weakest link is an end-user who may not fully understand the importance of security and will, therefore, not consider security a primary motivator to adopt a new technology solution. These are your users that will use ‘Monkey123’ as their passwords for all websites and applications.
To increase security with authentication or identity, the solution must be so simple for the end-user that they have minimal barriers to adoption. In fact, the end-user should experience an added benefit of convenience through minimizing passwords resets, streamlining authentication, and decreasing the number of apps they need to sign into.
By prioritizing the end-user experience, teams can increase their odds that their end-users will adopt the technology correctly – thus minimizing the risk of your end-user being your weakest links.
Authentication must be strong, but respect privacy
Employing multifactor authentication severely decreases the risk that a company will be successfully hacked as it considers a multitude of factors (such as location, facial ID, IP address) verses only one (such as a password) prior to granting access to an application.
However, transparency as to where data is stored for multifactor authentication is also necessary. This is particularly true with biometric factors (such as facial recognition or touch ID).
During our panel, I shared an example of how on a recent flight, the airport was testing facial recognition to enter the gate. The first question that came to my mind was – are they storing this data in one centralized location? If so, not only is that data outside of my control, but it also could be at risk if the airport does not protect it correctly.
To respect and protect a user’s digital identity, it is critical that authentication tools include decentralization capabilities.
At LastPass, the biometrics used in our multifactor authentication solution are kept on the user’s individual phone as opposed to a centralized repository. This allows us to respect our user’s privacy while providing one of the highest levels of protection, biometric multifactor authentication.
Identity and authentication will continue to develop as digital security becomes a larger priority. I am looking forward to continuing to discuss these trends with our friends at Twit.TV!
To watch the full live show, visit: https://twit.tv/shows/twit-news/episodes/347?autostart=false
To learn more about LastPass, visit: https://www.lastpass.com/solutions/idaas-identity-as-a-service
For more information on our privacy and security practices, visit the LogMeIn Trust & Privacy Center: https://logmeininc.com/trust