Ayaaz Janmohamed and Matthew Todd manage IT operations in two very different environments, but their identity and access management challenges aren't different at all.
Both have invested plenty of time, money and energy to keep these scenarios from ever happening. And along the way, both have determined that passwords are nothing but trouble.
"The urgency of people getting information is such that people put passwords on a sticky note, or several people try to share passwords on one machine, and so accountability is tossed out," Janmohamed said. Plus many organizations allow employees to choose simplistic passwords that attackers can easily crack, and if an employee needs multiple passwords to access different applications, the problem is exacerbated.
Janmohamed and Todd are not alone. A majority of 358 IT professionals who took a SearchSecurity.com survey on identity and access management in April said passwords are obsolete and want to replace them with stronger methods that include two-factor authentication and single sign-on.
Respondents are also looking to replace traditional passwords with tools like tokens and smart cards.
By the numbers
The drumbeat against passwords has grown louder in recent months. Even Microsoft Chairman Bill Gates has called for their demise.
That mood is clearly reflected in the survey responses.
Spending on authentication alternatives is also steady or on the increase at many organizations.
Spending has declined though in some areas.
From passwords to PINs and tokens
Janmohamed plans to move beyond his organization's current password system toward one that relies on two-factor authentication and enterprise single sign-on.
"We hope to marry up [Microsoft] Active Directory and PKI to create a single sign-on process," he said. This way, the network won't prompt for a full username and password. Instead, he said, it will prompt each user for a PIN and token, and the token will have to be in the machine for the user to get access.
The department will use a PKI server from Addison, Texas-based security firm Entrust Inc. for authentication.
Itching to federate
For Financial Engines, stronger authentication is also necessary for the company's plans to share applications with business partners through federated ID management, Todd said.
More than 40% of survey respondents said giving partners and suppliers access to their systems would enable a more efficient supply chain process. But for this to work, Todd said, companies must have total confidence that their partners are using ironclad authentication methods. In this regard, most organizations no longer trust the password system people have been using for the last 20-plus years.
For that reason, among others, federation ID management's push toward the mainstream has been slow.
"It's a huge challenge," Todd said. "We have data for millions of people that is sensitive. We are dealing with vast companies not used to smaller companies like us. So it's a bit of a battle getting the bigger guys to federate with a smaller company. We're a tugboat trying to steer the aircraft carrier in another direction."
Cultural change inevitable
While federated ID is a long-term goal, Todd outlined steps the company is already taking to strengthen authentication, which include rolling out SecureID from Bedford, Mass.-based RSA Security Inc. That may be key to getting rid of traditional passwords in the future. But there will probably be some hiccups early on.
"If we replaced the Windows password with a SecurID PIN code, cultural challenges would be involved," he said. "It would be much stronger than passwords but there would of course be some resistance to change."
While some might resist when change ultimately arrives, Todd said, eventually everyone would adjust to life without passwords. To get there though, department heads must be on the same page.
"Anything you do with access control, it's all about mitigating risks to the business, so when I implement sweeping change, team leaders are involved," Todd said. "There may be early grumbles, but eventually everyone adjusts."
Stronger authentication no longer a choice
A move beyond traditional passwords isn't really a choice for companies anymore, especially those doing business online. In fact, financial firms are being required to have two-factor authentication by the Federal Financial Institutions Examination Council (FFIEC).
For that reason, two-factor authentication with a single sign-on capability is priority one for Keith Gosselin, IT officer for Biddeford Savings Bank in Biddeford, Maine. It's a change he's not complaining about.
"Passwords are simply not enough anymore," he said.