<div>The traditional system of ‘setting passwords that are easily remembered’ is being challenged in the recent days. While naïve employees would set predictable passwords, it is likely that the same would be exposed to threats from brute force attacks, keyloggers, socially engineered cons, and just breaking in and outright stealing them from a database. <br /><br />Passwords are only as effective as the security of the organisation storing them. Incidents of password breaches indicate that most internet users do not use strong passwords. <br /><br />Most find long, combinations of numbers,letters and symbols challenging and “password” is often the most common password among those stolen. While some aware employees might go for the longest, most cryptic password possible, someone breaking and stealing it from the organisation due to a data breach just makes the whole exercise futile. <br /><br />According to the November 2012, Symantec Intelligence Report, security breaches where user information becomes publically exposed or stolen — are a serious issue for an organisation. The exposure of customer data such as a password can lead to a loss of confidence in the organisation by its users. Even worse, the organisation could find themselves in violation of data privacy laws or on the receiving end of a lawsuit by its users. Moreover, in the workplace, users are likely to utilise the same password to access any number of personal and business resources. In fact, businesses can lose millions of dollars if just one employee’s account is compromised, leading to the loss of sensitive corporate data.<br /><br /><strong>Strong Authentication Is The Key To Keep Employee Data Secure <br /></strong>Strong authentication is key to keep employee accounts and information secure, Strong authentication practices have been around for some years now; security tokens that generate one-time passwords on a small, portable device are a case in point. In such cases, even though a malicious user gains access to a machine, the risks of information theft are relatively lower. But with the advent of mobile workforces and remote workplaces, organisations are finding it tough to manage each employee carrying a token.<br /><br /><strong>Other Authentication Alternatives</strong><br />Knowledge-based systems: One of the most commonly used strong authentication alternatives is the use of knowledge-based systems. Banks use this method very commonly. In addition to the password, a user is asked a question based on prior knowledge. While, this is better than a password alone, there are certainly some shortcomings. One of the biggest shortcomings is related to the growth of social media. Large amounts of personal data is available on social networking platforms making it easy for social engineering attackers to guess the answer of a question such as the name of one’s pet. This then limits the value of knowledge-based authentication. <br /><br /><strong>Risk-based authentication: </strong>The risk-based method analyses user behaviour to determine the proper amount of security to apply depending on the current situation. For example, it will analyse the user’s location and the device being used to attempt logging in. When it’s the user’s workstation in office premises, and one is accessing relatively insignificant information, this would be considered a “low-risk” situation and little or no additional security is required. But if the user is requesting access on an unknown device from an IP address in another country, or trying to access financials or intellectual property, that will send up red flags, depending on the parameters enabled in the system. The user can then be required to perform additional authentication measures, in addition to entering a password, in order to be granted access.<br /><br /><strong>Public Key Infrastructure (PKI)</strong>: PKI refers to the technology, infrastructure, and practices that support the implementation and operation of a certificate-based public key cryptographic system. The system uses a pair of mathematically related keys, called a private key and a public key, to encrypt and decrypt confidential information and to generate and verify digital signatures. (Digital signatures are used to sign transactions or to authenticate users or machines prior to granting access to resources.)The main function of PKI is to distribute public keys accurately and reliably to users and applications that need them. The process employs digital certificates which are issued to users or applications by an enterprise certificate.<br /><br />Apart from these methods, there are a few other promising methods of strong authentication on the horizon that are making their way into the real world. “Somewhat continuous” authentication not only looks at behaviour while logging in, but during the session itself to make sure you remain the person in control, which is useful in cases of highly sensitive information in the world of espionage. And other biometric-based methods are in development to further ensure user identity.</div><ul><li>Some of the methods, organisations can use to solve the problem of passwords:</li><li>Educate employees on information protection policies and procedures, then hold them accountable</li><li>Implement two factor authentication</li><li>Integrate information protection practices into businesses processes</li><li>Assess risks by identifying and classifying confidential information</li><li>Deploy data loss prevention technologies which enable policy compliance and enforcement</li><li>Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints</li><li>Establish automated policy compliance solution to detect and remediate areas of non-compliance immediately</li><li>Proactively encrypt laptops to minimise consequences of a lost device</li></ul><div><br /><strong>Conclusion</strong><br />Simple password protection may be history soon. Moving to a world where alternative authentication systems are the norm won’t be immediate. For the time being attackers are likely to attempt entering networks with legitimate, albeit compromised, access credentials. Businesses cannot afford to take chances and must soon evaluate an authentication method that will work best for them. <br /><br /><em>(Prakashkumar, is Senior Director, Development, Symantec)</em></div>