Security Current, an information and collaboration company by CISOs for CISOs, has published a collection of leading Chief Information Security Officer’s (CISOs) insights on the future of the password and next generation authentication.
Ten CISOs from across industries weighed in, with most predicting that the days are numbered for the password as the sole authentication method. They see enterprises moving to augment or supplant the traditional password with advanced technologies, such as biometrics.
CISOs agree that passwords are inherently flawed because they depend on users to create and remember complex sequences of letters, numbers and characters. However, they found that users tend to take the path of least resistance, selecting sequences that are easy to remember – and often easy to crack.
“Despite industry-wide efforts to reinforce this method of authentication and the number of methods available to encrypt and store passwords, the fact that remains is that creating good passwords – and safeguarding them – is as difficult as rocket science,” said Nikk Gilbert, ConocoPhillips Director of Global Information Protection and Assurance.
Aaron’s, Inc. CISO Chris Bullock isn’t as quick to dismiss the password, and suggests it is a necessary layer in a multi-faceted authentication schema.
“Just like the locks on our front doors can’t stop a determined burglar or home invader 100% of the time, we continue to invest in door locks and alarms to protect our property,” said Bullock. “When used correctly, passwords can still be an effective layer of defense, yet we should continue to innovate in the area of authentication.”
Aetna CISO Jim Routh agrees that no single method of authentication by itself is sufficient, and although technologies like multi-factor authentication and smart cards have been available for years, they do not have the frictionless ease of use that is required for large-scale consumer adoption. And according to Valley Health CISO Frank Bradshaw, this is why the industry is moving towards a “who you are” not “what you have” approach.
They noted that next generation technology, such as biometrics, and adaptive cognitive and behavioral techniques, can reduce risk and provide a relatively seamless user experience. But there is general consensus that although the industry will continue to innovate and evolve no method will work 100% of the time.
“Biometrics or multi-leveled, behavioral-based techniques will improve the future of authentication,” said Molson Coors CISO Christine Vanderpool. “But managing appropriate levels of access is also critical to data protection because at the end of the day, the bad actors will continue to find ways to steal the information you are protecting if they want it badly enough.”
Participating CISOs include:
Frank Bradshaw, CISO, Valley Health System
Chris Bullock, CISO, Aaron’s, Inc.
Jonathan Chow, CISO, Live Nation Entertainment
Michael Dent, CISO, Fairfax County Government
Nikk Gilbert, Director of Global Information Protection and Assurance, ConocoPhillips
John Masserini, CSO, MIAX Options
Pritesh Parekh, VP and CSO, Zuora
Jim Routh, CSO, Aetna
Hussein Syed, CISO, Barnabas Health
Christine Vanderpool, CISO, Molson Coors
Security Current improves the way security, privacy and risk executives collaborate to protect their organizations and their information. Its CISO-driven proprietary content and events provide insight, actionable advice and analysis giving executives the latest information to make knowledgeable decisions.