This excerpt was pulled from JumpCloud’s “Leveling the Playing Field for SMEs” eBook. The eBook itself dives into topics related to recent workplace changes and modern expectations, as well as how to deal with it all as an IT professional through technology unification, improved onboarding, centralized and secure device management, and the use of multi-factor authentication.
This excerpt is focused on the inherent vulnerabilities that passwords bring to an organization, despite their (and their employees’) attempts to stay secure. It also highlights the steps SME IT admins can take to secure an unavoidable (and, yes, still necessary) task: making passwords.
The first computer password was created in 1960 by a group led by Fernando Corbató. And one year later, the first theft of a computer password was perpetrated by their colleague, Allan Scherr. (He wanted more time on the computer than they were willing to give him.) Today, stolen passwords are the number one source of data breaches. Hacker forums are full of passwords for sale. And the work-from-anywhere model has even made it worse.
Even the process of remembering and resetting passwords can cost an organization $5.2 million in lost productivity. When it comes to seamless experiences, passwords are one of the most imperfect systems that still exist today.
The real problem with passwords is that they are everywhere. We need a password to log into our devices. We need a password to log into our email. We need a password to log into our cloud services. Sometimes we even need a password to log into our vault of passwords. The list goes on. So it should come as no surprise that more than half of employees reuse their passwords across business and personal accounts, creating even more vulnerability and loss of control for IT managers.
Unfortunately, password reuse leaves organizations vulnerable to credential stuffing, where a hacker obtains a list of usernames and passwords from one breach and uses them to try breaking into other accounts. Even when passwords aren’t reused, they often tend to be weak. (It’s even worse when people reuse weak passwords!).
For example, the three most common passwords in a massive LinkedIn password leak were “123456,” “linkedin,” and “password.”16 Shocking, but true. Weak passwords leave organizations vulnerable to password spray attacks, where attackers automate the process of trying to log in with these common passwords.
But even if employees do their best, organizations are still vulnerable to social engineering, brute force attacks, and other advanced techniques. Two-thirds of users (even IT admins) admit they share passwords.17 These shared accounts lack individual ownership and accountability, which opens the door for insider attacks. That could seriously disrupt business when it comes to accessing privileged cloud infrastructure or Linux environments.
So it’s easy to see why IT admins and employees are suffering from password fatigue. They’re wasting an average of 10.9 hours per year entering and resetting their passwords.18 Employees may forget their passwords, or compliance policies may require them to be changed every 60-90 days.19 When employees are used to many of their favorite personal apps and social media sites keeping them logged in indefinitely, dealing with passwords all the time at work seems pretty antiquated by comparison.
Despite passwords being hard to remember, they’re easy to steal — which means oftentimes they end up doing more good for hackers than the people they’re meant to protect. From Bill Gates to Allan Scherr, the industry has been predicting the death of passwords for 20 years. When passwords are the only way to authenticate a user, organizations are leaving themselves vulnerable to attack. Fortunately, we’re starting to wake up from this horrific dream state and beginning to embrace a new paradigm — passwordless security.
Reducing Reliance on the Password: Single Sign-On and Multi-Factor Authentication
As passwords decline in effectiveness, organizations are turning to alternative methods to bolster the password’s security — or even eliminate the password altogether in favor of something more secure. Multi-factor authentication (MFA), single sign-on (SSO), and passwordless authentication hardware are top avenues to heightening security by eliminating reliance on the password.
The Center for Internet Security recommends MFA as its first choice for secure authentication. Instead of relying on the strength of a password and an employee’s ability to remember it, MFA requires secondary factors, such as authentication keys or SMS messages.
Before JumpCloud, we weren’t enabling multi-factor authentication, because people would have several multi-factor applications, connections to manage independently. People also weren’t always taking good care of their passwords as there were so many different passwords to manage. Adopting JumpCloud allowed us to conform with industry standards for password managementDavid Garrity, senior technology manager at Schernecker Property Services (SPS)
Adding a second factor creates a major roadblock for hackers and significantly reduces the chances of unauthorized access. MFA can be an easy and cost-effective solution to protect against the repercussions of password fatigue. And it can be as seamless as a push notification, just like an employee is used to receiving from their favorite apps. It reduces friction with user-friendly, but secure, technology.
Conditional access policies can further strengthen and streamline this process by evaluating the location of the user, their device, the security of their network, and their device health to determine whether to require MFA. A user trying to access their email from a trusted device on the corporate network could be allowed to bypass the MFA requirement, but a user trying to access privileged accounts from an unknown device in another country should be challenged with MFA. In this way, IT admins can easily maintain security while their employees remain happily productive.
SSO further reduces an organization’s reliance on passwords by only requiring them once per session. Organizations can eliminate password fatigue with SSO by consolidating dozens of passwords into a single secure identity. JumpCloud True Single Sign-On™ (True SSO), for example, securely authorizes users to virtually all the resources they need to do their work — regardless of platform, protocol, provider, or location — with one set of credentials. No more complexity, no more remembering, no more resets.
And fewer passwords means less work for IT teams, too. When Schernecker Property Services (SPS) started using JumpCloud’s SSO, it immediately noticed the time-saving benefits in addition to the security boost.
“One of the biggest results has been the reduction in help desk calls for password resets. People only have to remember one password now for everything,” said David Garrity, senior technology manager at SPS. “Before JumpCloud, we weren’t enabling multi-factor authentication, because people would have several multi-factor applications, connections to manage independently. People also weren’t always taking good care of their passwords as there were so many different passwords to manage. Adopting JumpCloud allowed us to conform with industry standards for password management,” he said. “JumpCloud was a huge step forward in getting our security in place.”
To take things one step further, the Fast Identification Online (FIDO) Alliance has paved a path to a passwordless future by developing the principles and protocols needed to get there. As users grow accustomed to abandoning their passwords for personal services, they will come to expect the same from their business services as well. In fact, more than half of employees would prefer passwordless logins.
FIDO2 uses authentication hardware, such as a security key or a biometric scanner, to authenticate users with the press of a button. FIDO2 can be enhanced with seamless MFA solutions, such as a push notification, to facilitate a secure passwordless login. Pragmatically, reducing an organization’s reliance on the password requires a unified platform to manage IAM, MFA, and SSO to keep friction low and security high.
JumpCloud can power secure authentication from a centralized identity directory by supporting FIDO2 logins to its User Portal,
offering a push notification MFA app, interfacing with third-party authenticator apps, enabling conditional access policies, and more.