Let's face it, passwords stink. They're easy to steal, easier to forget, and they create work for your staff. What's worse is that they're not really very good security for all sorts of reasons. But for now, we're stuck with them.
Continue Reading Below
Fortunately, there are things that you can do to reduce your risk, and more importantly, increase your level of compliance with requirements ranging from the Health Insurance Portability and Accountability Act (HIPAA) to the Sarbanes–Oxley Act (SOX). But you also need to do it in a way that doesn't add to your management burden more than necessary and that doesn't cost too much. And, of course, it needs to work in all the places where your employees work.
Before you rush into a search for password alternatives, however, it's probably a good idea to give some thought to your password policies, remembering that they need to be used by people. This means that requiring passwords that are too long or too complex will actually decrease their effectiveness in addition to increasing the cost to you.
Their effectiveness is reduced because people write them down so they won't forget, or they forget and your IT department has to perform a reset, which costs you money. Or you need to add a "forgot your password" feature, which has its own set of risks and complexities.
You also need to think about your requirements for routine password changes. A number of studies indicate that they're probably not necessary and that they have the same downsides as overly complex or long passwords, except that they happen more often.
But even with a rational password policy, this still isn't a very good way to maintain your compliance level. Clearly you need something else. This is where a second authentication factor comes in.
Second Authentication Factors
For large organizations where most employees work in the office, the most obvious solution is to use the ID badge as a second factor. In nearly all cases, including the government and many Fortune 500 companies, this means adopting the smart card as that second factor. This isn't a new approach and it's widely used. The difference is that the cost of entry is now vastly lower because Windows 10 now includes support for smart cards as a security technology.
But smart cards aren't necessarily the best solution for every company and they're not a solution at all for a mostly mobile workforce. While you can buy laptops with an integrated smart card reader, you're not going to find this as easy to accomplish with your employees who use smartphones or tablets as part of their work.
The obvious solution for mobile users might be to adopt a different form of two-factor authentication (2FA), such as sending out a numeric code using SMS. Every phone that's currently available supports text messaging, and while it entails a brief delay in access while users wait for a text message to arrive, it actually works well and it's secure since modern phones usually require a biometric log-in or their own passcode before they will work.
But to be even safer, it's possible to use a dedicated application to gain access to your data systems. The challenge there is, you'll need to develop an app for each type of smartphone your employees use. You could also use a web app but then you're back to the password problem again, unless you're prepared to do some web development that would allow authentication via your employee smartphones, which is not impossible but also not trivial.
By now you might be wondering about those whole-hand print readers you see at some data centers or you might be thinking about fingerprint or retinal scan readers. Those all can work well and they're an obvious solution for a high-value installation, such as your data center. But they require a significant investment in infrastructure and they require people to manage them. We're trying to think about ways to improve compliance without adding people or spending too much money.
Other Ways to Improve Compliance
What this means is that you'll need to take more than one approach. For your office workers, you might implement smart cards as a factor in authenticating your employees. This has advantages for physical security in addition to helping your compliance, and the cost of entry is within the reach of even smaller organizations.
For reference, smart card readers that work with Windows are available in quantities of one for about $10. Keyboards with integrated smart card readers cost as little as $25 in quantities of one.
For your mobile users, you may want to think about using SMS messages for 2FA. This is something that you've certainly seen already, whether you're working with Apple or Microsoft or a number of other sites. A number of companies will handle the process for you. One example is Twilio but there are others.
What matters is that you can do something about your password dilemma while not having an undue impact on your staff or your budget. Your path to compliance will be easier because you've provided greater access security, and you might even ease your staff load by adopting policies that work, while also adding a level of security. For you and your IT team, it's a win on all sides.