The current pandemic is impacting all areas of IT, and that includes some of the tried and true tools of security. Passwords are one example of this, and some have speculated that the COVID-19 crisis might finally be the impetus that pushes them aside. In fact, Forbes trumpeted the possible pandemic demise of passwords in a recent article entitled Could Coronavirus Finally Kill Passwords?
Anyone who uses the internet knows the hassles of using a user name and password to access their own information, whether it’s their banking, online shopping, social media, medical information, etc. If you’re a business owner or executive at a company who is thinking about digital security, the user name/password paradigm is more than a hassle, it’s a true security challenge, which keeps many of us up at night.
I can tell you that deploying a companywide strategy for eliminating passwords isn’t easy.
Banned passwords—Create a list of banned passwords that your user population is prevented from using. These are passwords that are commonly used, such as qwerty123, 123456, password1, and those that are easily guessable, like sports teams and month/year combinations. This list can be created using Azure Active Directory (Azure AD) password protection, which works in a hybrid environment and leverages machine learning from 650B authorizations every month. You could also create a list via other service offerings available in the industry.
Use Multi–Factor Authentication (MFA)—MFA, or two-factor authentication, is a secure authentication method in which a user is only granted access after successfully presenting at least two separate pieces of evidence to an authentication mechanism. Using MFA is the single most effective security practice that companies are NOT employing. We employ MFA in our environment, but there are multiple options for implementing MFA. In fact, companies can now go passwordless because of this technology making it even easier to implement MFA.
Legacy authentication—The final and most difficult step in the process is eliminating the use of legacy authentication. This includes all protocols that use basic authentication and can’t enforce any type of second-factor authentication. This step is time consuming, laborious, and can create headaches when it occasionally breaks services. If your company is already completely in the cloud and doesn’t have any legacy authentication anywhere, you can eliminate passwords very quickly. For the rest of us, it will take longer.
Our last advice is to think carefully about how you engage with users to implement all the steps outlined in this blog. Promote the user benefits at the outset of your program. Eventually, you will figure out employees were universally excited about eliminating passwords, so communicated with them about how each step in the process helps with the goal only adds to its success.