The beginning of the end for passwords

One of my favorite IT battle-scar stories comes from a Fortune 500 company, which forced employees to abandon their most popular password. Which was, of course, “password.”

After some grumbling, many employees changed their passwords to “password123.” Soon after blocking that, IT managers found they needed to block “password1234.” And then “password12345.”

And then things got ugly. The new most-popular password? “f#!kIT.” And then, “f#!kIT123.” The special characters are not there to make the passwords harder for hackers to decipher. I inserted them. Let’s just leave it at that.

Passwords, as any CIO will tell you, are the bane of their existence – and have been for more than a decade, ever since it became easier for thieves to break into computers over the internet than to literally lay their hands on our systems. According to Verizon’s annual Data Breach Investigations Report, 81 percent of data breaches now leverage weak or stolen passwords. Only eight percent involved physical interaction with hardware.

Proper password hygiene, of course, demands long, hard-to-guess passwords that are changed often. As the password cat-and-mouse game makes abundantly clear, employees want the opposite: quick and easy access, with simple passwords that never change.

Employees by and large have been winning. And so, as a result, have cyberthieves. Because if employees have easy-to-guess credentials, hackers don’t even need to phish to gain access.

After more than a decade of fighting a losing battle with employees to safeguard corporate data with secure passwords, IT may finally be on the cusp of brokering a truce – and making the enterprise more secure – by eliminating passwords altogether.

The latest piece of the puzzle is the April 3 announcement from Intel regarding the availability of the latest version of Authenticate, which expands IT’s suite of both OS and hardware-protected authentication factors to keep logins secure – all while simplifying access for employees. In fact, IT not only has the ability now to set policies using secure fingerprint, smartphone proximity and facial recognition. Authenticate can also disable passwords altogether.

Indeed, 2018 could prove to be a watershed year in putting passwords on the endangered species list. Authenticate supports 6^th Gen, 7^th Gen and 8^th Gen Core vPro processors – which means that if IT managers are on a five-year replacement cycle, chances are good that at some point this year, the number of PCs deployed that are capable of enterprise-grade multifactor authentication with surpass those that aren’t.

I started evaluating Authenticate on the new X1 Carbon from Lenovo ahead of CES, before the 8^th Gen system was announced.

First, a word about the X1 Carbon: wow. The 8^th Gen Core system is just about the perfect convertible. It’s equal parts sleek and sturdy, with great responsiveness and battery life. As well, the uptick in performance over 7^th Gen systems was impressive. That’s to be expected, given that Intel designers made performance Job One for 8^th Gen, shifting priorities after several years of focusing on mobility.

Setting up Authenticate on the X1 Carbon wasn’t difficult. Before I did, I had to enable facial recognition, as Authenticate leverages the Windows Hello enrollment mechanism for that.  (Facial recognition is the only factor I used in Authenticate that was not hardened and protected only by the OS.) From there, I set up factors shielded by the hardware, below the OS: the integrated hardened fingerprint sensor, secure Bluetooth on my Samsung Galaxy Note 8 and the protected PIN. The PIN is entered on a digital keypad in a secure window with a scrambled layout as an added safeguard against screen scraping.

I set up my policy, also protected in hardware, to require two factors – in my case, facial recognition and smartphone presence – with fingerprint and protected PIN as alternates. And then, once I was comfortable, I went ahead and disabled password logon. Poof!

I can appreciate that that sounds as scary to some of you as it does exciting. But let me try to reassure you.

One pushback I hear is that factors like facial recognition and some fingerprint sensors today are possible to spoof. But with Authenticate, it’s not possible to spoof fingerprint authentication with software because the entire process happens in the hardware. As a result, tricking biometrics is limited to physical access – which, as we’ve discussed, is a much smaller concern for IT than cyberattacks.

Even if thieves did physically fool into the fingerprint sensor, they still wouldn’t get access – because, with multifactor authentication, the sensor is only one of multiple keys required for entry.

Perhaps the best part of multifactor authentication, though, are the prospects for employee compliance. Multifactor authentication is easy for employees to set up. And, more important to them, PC access is virtually effortless. Which means employees won’t fight IT efforts to keep enterprise assets safe.

So, IT managers can find something else to worry about beside the next round of easy-to-guess passwords. That doesn’t sound so scary, does it?