Five Reasons Why Authentication Still Matters -- and Still Isn't Fixed

That’s the conventional wisdom, at least, but it’s a myth. Despite a flurry of new regulations, user names and passwords still rule the enterprise. Tokens and one-time-password generators are making inroads, but it’s slow, plodding progress.

We all know that user names and passwords offer horrible security. They enable phishing. They are easily guessed. They can be cracked by simple brute-force attacks. And they are essentially the gateway to larger security breaches, such as intellectual property theft, corporate espionage and identity theft.

So, why are they still so prevalent?

A few reasons. The first is cost. Multifactor authentication is expensive. The initial outlays for tokens, password generators, biometrics and even authentication servers are high, while ongoing support costs often outstrip the already high help-desk costs for retrieving and resetting passwords.

Second, user names and passwords are convenient. Yes, users forget them. Yes, people have far too many and get them confused. Yes, user names and passwords encourage poor security practices, like writing them down or keeping an easily hacked Word file titled “passwords.” Yet, they are simple and easy.

Finally, they’re portable. It’s not a good security practice, but if you have a strong password that you’ll remember, you can use it across applications, with a number of service providers and on different channels. You shouldn’t, but let’s face it: most of us do.

And that’s why authentication should be on top of the list of our security concerns, not at the bottom.

Not convinced? Here are five more reasons why 2009 should be the year your organization fixes authentication:

1.) User names and passwords are everywhere.

This is a classic good-news, bad-news scenario. The good news is that not all user-name, password logins are made equal. At online banking sites, for instance, the fact that most users login they way they always have obscures the fact that other authentication is happening behind the scenes. Devices themselves are authenticated and technologies like geolocation and transaction monitoring significantly raise the security bar.

That’s in banking. Elsewhere the picture is less rosy.

“The adoption of multifactor authentication has been frustratingly slow,” said Paul Barret, CEO of Passfaces Passfaces, a startup that provides multifactor authentication solutions based on humans’ innate ability to recognize faces. “The only real adoption is in the financial sector. The fact is that 99% of authentication is still done with passwords alone.”

Despite all the talk of tokens and biometrics, multifactor authentication is still rare. Even in the enterprise, where many believe that strong authentication is the norm, adoption has been slow, mostly due to cost and support issues.

“We estimate that no more than 10% of the enterprise has adopted strong authentication,” said Neil Hollister, CEO of CRYPTOCard CRYPTOCard, a provider of authentication solutions.

With the business sector slow to move, is it any surprise that as consumers almost all of our online transactions are accomplished via user names and passwords alone? Sure, most transactions are low risk, but even low-risk activities can open the door to identity theft.

2.) Phishing hasn’t gone away.

This isn’t a scientific sample, but I probably get a half dozen to a dozen phishing junk mails a day, minimum. Granted, my email address is published widely, so I get more spam in general than most, but there are still an alarming number of phishing attempts in my junk box each day.

A flurry of new emails is linked to the financial crisis. The social engineering trick this time around is to capitalize on the fear caused by the bad economy and failing banks. “Are you worried about your accounts? Click here to verify your account details and ensure that your funds are safe.”

People don’t think clearly during a panic situation, and many have clicked through and entered their account details.

“Phishing may have fallen off the radar, but it’s still there,” Barret said, “It’s like spam; even if you get only one response in a million, your efforts pay off.”

According to Cisco’s 2008 Annual Security Report , attackers are moving away from shotgun-style phishing to targeted fishing, also called spear phishing.

For instance, instead of sending phishing emails that mimic large banks, attackers use smaller regional banks and include local details, like naming the bank manager, to make them seem authentic. Or they send out emails appearing to be from alumni associations requesting updated information, from the IRS saying you’re about to be audited, or from the Better Business Bureau asking business owners to respond to a complaint.

A high-profile spear fishing campaign was the CEO subpoena attack of earlier this year. Phishers sent emails to senior executives at a number of U.S. companies telling them that they’d been subpoenaed for a federal court case. Victims were directed to a website that looked like the California federal court page, where they were told they needed to download a plug-in to view the subpoena. The plug-in, of course, was actually malware.

According to VeriSign, about 2,000 executives fell for the scam.