This blog was written by an independent guest blogger.
Access management is a key element of any enterprise security program. Using policies defined by IT administrators, access management enforces access rights across the network. It does this by designating which groups of users are allowed access to which applications and identifying which user attributes are required to access each application.
Problems arise for businesses when they base their access management programs entirely around passwords, however. Such programs overlook the burden that passwords can cause to users as well as to IT and security teams. That explains why Thales calls this type of access management a “productivity killer.”
Let’s explore how below.
Passwords: An unsustainable business cost
Users have too many passwords to remember on their own. According to Tech.co, a 2021 study found that users now need to track 100 passwords across their various web accounts. That’s an increase of 25% since 2019 when the average number of passwords was just 70-80.
Many users respond to this sprawl by trying to make life easier on themselves and reduce the stress of needing to remember so many passwords. They oftentimes do this by creating weak passwords with small variations from one another. Other times, they simply reuse the same password across multiple web accounts.
Indeed, Infosecurity Magazine shared an April 2020 survey that arrived at the following results:
- Nearly half (45%) of respondents said that they did not consider reusing their passwords to be a serious problem. This explains why an even greater proportion (52%) felt comfortable admitting that they shared their streaming site passwords.
- Approximately three in 10 survey participants said that they reused their streaming site passwords for more sensitive services such as online banking accounts.
- Two in 10 individuals said that they weren’t sure whether those with whom they shared their passwords went on to share those same credentials with others.
It was a similar story with a study covered by Threatpost about a month later. Two-thirds of respondents in the report said that they “always” or “mostly” reuse a known password in its entirety or a close variant of it for their new web accounts. Such behavior persisted even though 91% said they knew reusing a password posed a risk to their business.
Small surprise, therefore, that weak and reused passwords continue to cost organizations. In its 2020 Data Breach Investigations Report (DBIR), for instance, Verizon Enterprise revealed that brute-force attacks and the use of lost or stolen credentials factored into 80% of the hacking-related breaches it analyzed. Along those same lines, the Ponemon Institute and Proofpoint revealed that organizations experience an average of 5.3 credential compromises every year. Each of those incidents cost an average of $692,531 for organizations to contain in 2021. That’s nearly double its price tag of $381,920 back in 2015.
Passwords cost organizations in ways other than data breaches, too. Back in 2018, Infosecurity Magazine shared a survey of network security decision makers where those working for large organizations revealed that they commonly allocated over £700,000 each year for password-related support costs. The study went on to reveal that a single password reset could cost organizations as much as $70 in terms of teams’ time and money. That’s fewer resources available for IT and security personnel to spend on other projects.
Where this leaves access management
Several service providers are beginning to shift away from passwords. Just recently, for instance, Microsoft announced that users could begin leveraging passwordless methods such as the Microsoft Authenticator app to authenticate themselves with Microsoft Edge and their Microsoft 365 apps. Organizations can incorporate such news into their security awareness training programs to phase out passwords where they can.
Simultaneously, they can work to move their access management programs away from requiring employees to have a different set of credentials for each account or asset they need to access. They can do this by looking to Single Sign-On (SSO). SSO solutions act as an intermediary between users and target systems in that they map different credentials sets required by various applications and services to a single username/password pair.
From the perspective of the user, SSO helps to eliminate password fatigue by requiring users to remember only a single set of credentials. There’s no reason for them to reuse their passwords if they can access multiple web accounts with the same username and password, after all. When paired with other security measures such as multi-factor authentication (MFA), SSO can help to reduce the security risks posed by passwords.
Simultaneously, SSO alleviates the job of administrators. Fewer passwords mean fewer password-reset tickets. Admins are therefore free to work on other initiatives.
Putting the password in its place
In an article for Security Intelligence, I said, “the password doesn’t matter. It’s not the password you need to protect; it’s what’s on the other side of the password that’s worth defending.” I stand by those words. SSO, MFA, and other technologies are helping access management to evolve beyond the password. All the better for users, admins, and organizations alike.