TECH INTELLIGENCE: A better strategy

Listen to this article

Passwords are the bane of our existence. But there are alternatives. 

Positioned as a critical layer of cybersecurity, we are correctly advised that an effective password should be unique, long, and complex – like a mix of alphabetic, numeric, and other symbols – and should not be reused across accounts. So, in theory, users are expected to remember multiple passwords, across numerous business and personal accounts, with each password consisting of some 26-plus characters. 

Guess what? That is not going to happen. 

Instead, many people take shortcuts. They use passwords like “Password” or “12345,” and use the same password to access their online bank account and other sensitive accounts — so when a cybercriminal cracks a single password, they get access to a stream of sensitive accounts. The outcome is never good for the victim. 

Users have options, however, thanks to cybersecurity advances. 

One alternative is to outsource password creation and retention to a cybersecurity organization that offers comprehensive, integrated password solutions featuring a corporate password manager that creates strong, complex passwords and stores them in an encrypted digital web vault. Coupled with single sign-on (SSO), users may have the option to use one master password to decrypt the vault and gain access to a variety of passwords that unlock different websites or services. 

To further enhance security, an SSO deployment should be coupled with a complete multifactor authentication solution. MFA is a multistep account login process that requires users to enter information beyond a password. Users may be asked, for example, to enter a code sent to their email or to answer a secret question. This second form of authentication may help to prevent unauthorized account access if a system password has somehow been compromised. 

Other approaches, though, may supplement passwords or bypass them completely. Think about the last time you used a credit card — the store clerk or website did not request a password or an MFA. That was thanks to advanced approaches like risk-based authentication that, as its name implies, take risk factors into account when performing an authentication decision. RBA goes beyond a static authentication and enables administrators to create rules that can modify authentication behavior review: making it easier if the risk is low or, if the risk is too high, asking for additional steps to ensure the user is legitimate. And if too many other actions do not pass muster, access may be blocked — even if the user provided a correct one-time password. 

In essence, RBA gains an understanding of the typical behavior, life, and account patterns of the user. It can be something as simple as, for example, knowing a particular small-business owner always uses a specific ATM for their cash withdrawals — so, if they happen to use one in another state, they are presented with authentication challenges or may get conditional access until they prove their identity.  

Similarly, if a bad actor tries to illegally use a business credit card, utilization discrepancies are likely to trigger an RBA alert. The legitimate user should receive a notification from their bank or other institution within moments of the attempted transaction. These kinds of RBA adjust risk dynamically and can cover an expanded set of conditions compared to traditional cybersecurity approaches. 

Other cybersecurity solutions include attribute-based access control, a multidimensional approach to data security that may permit or restrict access to sensitive data based on factors related to the user, data object, environment, and user purpose. For a business, access to sensitive data can be determined based on attributes or characteristics of the user, the data, or the environment, including group, department, employee status, position, device type, IP address, or any other factors. For example, a company might restrict HR-payroll system access to users who are employees within certain departments, like HR, and only during business hours, perhaps within the same time zone as the company. 

Many devices and systems already collect volumes of user information, including location; they may also collect individual user attributes, like how long it takes for a person’s fingers to execute certain keystroke combinations or how long they take before clicking on a certain button on a website. Thus, existing and future systems may not only look for a user to type in the correct password but may also determine if the way it was entered matches the user’s historical pattern. 

These and other kinds of cybersecurity initiatives are more necessary than ever, given the increasing adoption of remote work models. Employees are connecting to company resources from an increasing number of unprotected as well as protected networks, and as work hours become more flexible, there is more chance that business devices may be shared with family members and others, expanding the opportunities for hackers to successfully penetrate systems. Companies that wish to establish or maintain a good name will continue to work with cybersecurity services partners to enhance their reputation for safeguarding sensitive data while reducing their exposure to regulatory and other lawsuits and penalties. 

Carl Mazzanti is president of eMazzanti Technologies in Hoboken.