1. What is the biggest IT governance mistake enterprises make?
One of the biggest mistakes we make on the IT governance side is the failure to recognize and adapt to change. For example, as was highlighted over the past 2.5 years, the pandemic forced us to change from a mostly onsite workforce, to a completely remote workforce. Now, this paradigm is one again shifting to a hybrid workforce. While this was an obvious shift, many changes can be significantly more subtle and thus may go unrecognized. At the same time, security threats change. Whereas a year ago we were most concerned about malware, today it may be ransomware, or cyber threats caused by foreign factions.
One area of key concern is how we approach authentication. For decades, we have relied on password based authentication as a means of getting to data, applications and functions that the general public could not. In actuality, passwords were never originally architected to be a means of granting access, but rather as a means to reserve computer time on mainframe computers.
Recognizing this, we have layered additional methods to ensure “secure” authentication. This includes password+pin, one-time passwords, time based passwords, push authentication codes and much more. We’ve added a ton of technology with the intent of increasing security, yet we still see breaches based on stolen or otherwise compromised credentials every day. We’ve continued to layer on technology after technology and all we’ve really accomplished is adding on more complexity and friction to an authentication scheme which is still not secure.
We’ve failed at providing a truly secured means of authentication that is also frictionless to the user.
2. What makes this mistake so potentially destructive?
We’ve attempted to increase the security associated with password based authentication. All we’ve really done is added complexity, cost and a false sense of security.
The root of the problem is the password. In fact, there are more than 1.5B compromised credentials on the darknet today. Most organizations face an impossible trade-off between security or usability. Organizations need both, but traditional IAM and password technologies force organizations to give up one to get the other. The more secure the authentication approach, the more friction is involved. This negatively impacts user satisfaction and productivity. Conversely, the more seamless the authentication experience, the less secure it is. Most organizations are struggling or failing with authentication at the worst possible time:
● 65% of organizations believe their authentication is not secure.
● 49% of organizations have struggled to deploy MFA due to poor user experience.
With traditional MFA solutions providing little additional assurance, organizations are vulnerable unless they make a change.
3. What is the best way to avoid making this mistake?
By eliminating the password and all other shared secrets, we can eliminate the most common cyber attack vector. As noted before, passwords were never designed to be used as an authentication method, so why not graduate to a frictionless and more secured method of authentication?
It’s time to fix the way the world logs in.
4. What constitutes a solid IT governance approach?
Passwordless MFA (PMFA) is the only way to break this cycle. PMFA is phishing resistant and is core to the Zero Trust model which is part of FIDO2. CISA has endorsed FIDO2 as the gold standard for authentication.
A specific approach should encompass:
- Making authentication so easy that users and customers don’t know it’s happening. The experience should be fast and seamless from the desktop to the cloud, thereby enabling users while also empowering security teams to truly secure their organization against unacceptable risk.
- Eliminate the weakest link in the security chain by providing authentication that virtually eliminates automated attacks and account takeover.
- Deliver unparalleled security from business users to consumers to the Internet of Things, eliminating frustration across the entire attack surface.
- Become part of the community of innovators who want to create a safer, more accessible world by advancing the development and use of open standards to create a system that is ubiquitous and not confined to one company.
About the Author
Bojan Simic is CEO + CTO of HYPR. HYPR fixes the way the world logs in by breaking the tradeoff between strong security and consumer-grade user experiences. Our approach shifts the economics of attack and risk in the enterprises’ favor by replacing password-based MFA with Passwordless MFA.
Featured image: ©Antonio Diaz