Why are passwords going away?

Passwords have been a necessary component of internet (and computer) security for as long as most of us can remember. The challenge is that a password is only as good as what you set it to be – and many people (even in upper-management) tend to choose simple, or easy to break, values for their passwords.

Put simply: Passwords are going away because they are becoming increasingly less useful at stopping an attack.

The reason for this change is that all employees are being asked to reset passwords more frequently and those passwords are required to be more and more complex. Passwords are a means to an end, and this, in-turn, created a situation where many (if not most) employees choose passwords which are simple and easy to remember (or store them in in-secured devices or programs (like “Notes” on their phone)

The result? Hackers are having an easier time than ever before hacking networks and computer systems (just like yours).

What are passwords being replaced with? Why is it better?

Since passwords are becoming less useful, they are being replaced by better means of allowing employees to login to secure systems. One of the most popular replacements to traditional ‘passwords’ is known as Multi-Authentication passwords.

What are Multi-authentication passwords?

The new style of authentication utilizes another secure device or technology to validate your login. Examples include using a secure mobile phone which has an “authenticator app” or receives a text message. There are also USB security keys that an employee has to carry around with them.

Let’s explore a few examples of password authenticators

Device based password authentication:

1. SMS text: The most popular style would be a special one-time text message code. You are promoted to type in a code that you were just sent, and this allows you in to the system. This method can be very secure… but it is possible to ‘spoof’ cell phone numbers, so depending on the importance of security, this is sometimes avoided for physical security keys or authenticator apps.
   

   A stock photo of a one time security code on a smartphone. A man receives a one time Security code delivered by SMS and enters it on to a laptop.

2. Mobile Device Authenticator Apps: On a mobile device, typically provided by the workplace, an app can be used to give you a rotating code to type in. There are many authenticator apps available for free (from Microsoft or Google) for example.
   
3.  Security Keys: That a USB security key is then inserted into a computer or mobile device to authenticate the MFA code.
   

Frequently additional confirmation, or even a question, might be asked for an additional level of security. Examples include:

1. Last Sign In location: You will be asked your last sign location.
2. Phone Call: A secure code is spoke to you via a phone call.
3. Secondary email address: An authentication email is sent to an alternate email address.
4. Question & answer prompts: This has been used for a long time, but you’ll be asked a series of questions, or shown pictures – for which you must choose the correct one.

Here is why Multi-authenticated passwords are better

Multi-Authentication passwords are much better at stopping and deterring people from installing malicious software. With more hurdles in order to access your systems the more energy and resources the hackers must use to get in.  By using these styles of passwords you can ensure your business is secure.

Most important is to keep passwords as simple as possible for those who need to use them. We can not punish employees for trying to keep things simple, we need to give them the right tools – AND the right instruction on how to do things properly.

Who is using Multi-Authenticated passwords?

Many big companies including Microsoft, Apple and Google are starting to move towards multi-authentication passwords in fact Microsoft aims to have 100% of their staff on multi-authentication.

When should I look at switching to this?

You should look at using this method of security sooner rather than later. As passwords lose their effectiveness eventually you would need to upgrade your security. Better to start that process now, rather than later. Security risks are not going to go away, and in the IT business we always say: “There are two types of people out there. Those who have suffered a security intrusion, and those who are yet to suffer one.”

Britec is here to help.

If you want to have a conversation, discover how to better improve security in your system using multi-authentication passwords – please contact us.  We’re a Calgary-based IT and Accounting Software who has been serving Canadian and Calgary businesses since 1988 (we have 33 years of experience backing you up).