It's popular opinion that a strong password in combination with two-factor authentication and a password manager is a winning combination. Do you agree?
Yes, but regretfully it is a solution that in most cases require at least some technical knowledge, as well as increasing cost for both service provider and user. Not to forget that it also increases complexity and risk of design errors, flaws and vulnerabilities that can be exploited.
I really do not believe technology to be the perfect replacement for human weaknesses in most cases, and I still recommend writing down most of your passwords on a piece of paper that you keep at home. Definitely hard to get remote access to, compared to any electronic password manager available out there.
How can organizations make employees choose security over convenience?
By making security more user friendly. To me that doesn't have to be a contradiction. Security must support the business strategy of the organization, not fight against it. Ask yourself the following question: "Would you accept increasing the minimum length of your password to 12 characters, if you were allowed to change your password only once every 13 months?"
Lowering the change frequency increases our ability to learn and remember our password, and a reasonable tradeoff is to increase the minimum length. As a bonus an organization would financially benefit from lower "forgotten password" helpdesk inquiries and increased productivity among staff.
Plans of changes to security should be subject to usability testing with affected end-users before they are eventually developed and deployed to the organization. Perhaps a radical thought to actually involve end-users, but without their support security will lose for sure.
Is there a viable alternative to passwords coming in the near future?
NO. There are many alternatives available, but to me they are not replacement in most cases, only ways of either simplifying or hiding passwords for the end user. At the base of most software available today, a username and password is what authenticates us. Everything else is usually implemented as an additional layer between the user and whatever application, database or operating system he or she authenticates to.
What type of technology could make them disappear while making users more secure?
Well, biometrics of course, and other types of 2-factor authentication. Current 2-factor options available for well-known services such as Facebook and Google are easy to configure for those who knows how to, and doesn't add any additional cost or time for most users.
Through my own work and with PasswordsCon especially, we've seen many great efforts to simplify, improve and perhaps get rid of all those pesky passwords. Still most of us have more passwords than ever before, and that number keeps growing for every year.
A simple step would be to simplify even more the process of configuring 2-factor authentication across large services, and to promote Single Sign-On or password synchronization across internal systems in large organizations. After all most organizations seem to have only one password policy, but tens of if not hundreds of different implementations of it. Doesn't really appear user friendly or inline with business strategies of streamlined processes, does it?
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.