According to a recent survey, 65 percent of respondents indicated that they believed their organization would experience a security breach at some point in the future. While this percentage may, or may not seem astounding, the culprit seems to be one of the oldest issues out there – compromised credentials.
Ever since passwords came in to use at MIT back in the 1960s as an attempt at controlling timesharing in their computer lab, people have tried to find ways around them, usually for nefarious purposes. It stands to reason that more than 50 years later, someone would have figured out a method to resolve this issue once and for all.
There are many security projects going on today that are the latest iteration, with biometrics seemingly leading the way. One of these methods is the adoption of fingerprint scanners on smartphones. This technology is becoming ubiquitous and can be done on mobile devices, with a PIN code failover. It stands to reason that this technology would be more readily adopted via fingerprint scanners embedded in keyboards and laptops, if the cost and availability were more reasonable.
Other technologies include facial recognition with Windows 10, and additional technology in development by Amazon. While Windows “Hello” requires a special camera that is just now starting to become prevalent in the marketplace, Amazon’s technology will utilize a standard webcam will likely require an iteration of photos where the user changes facial expressions (smile, blink, etc.) to verify the user more securely.
Another technology that holds tremendous premise is biometric technology that evaluates the way a user interacts with their keyboard, mouse and smartphone. This method is called keystroke dynamics, and is part of behavioral biometrics. The technology can be utilized not only as a pass/fail threshold test when a user logs in, but can also constantly assess the user’s pattern while utilizing the computer or smartphone.
Behavioral biometrics could alleviate two concerns. This method becomes a second factor of authentication upon login, but can also force a re-validation should something change during the work day. Let’s say a user gets up from their desk for a quick break but fails to lock the screen. Another individual could easily walk up to the machine and access sensitive data. The keystroke biometrics application would detect the change in user based on how they are interacting with the computer and immediately ask the person to re-enter their credentials. A third factor can also be added as part of this revalidation process and require the entry of a PIN that has been delivered via SMS or a smartphone application.
Other options for securing the network from compromised credentials, are also available, and are even less intrusive to end users. These methods, though, are best utilized in combination with another technology other than passwords. These technologies involve restrictions on who can access the network and from where, and can be useful in mitigating risk from the outside hacker, but do little to prevent an insider from wreaking havoc. Time of day restrictions are one step – limiting when someone can access their machine based on their normal usage patterns. Another step is IP limiting – only allowing usage to sensitive applications and data if the IP origin is within a specific range. Geo-fencing is another option and restricts users based on location range of either the main office or their home for example.
Regardless if one or many of the technologies are ultimately adopted, organizations must move in the direction of securing user credentials beyond the simple user name and password. If not, security breaches due to compromised credentials will continue to occur and this topic will remain very relevant for another 50 years.