Since the early days of computing, users have inputted passwords to prove their identities. Today, as computers have progressed to something in everyone's pocket, password management is changing. No longer is having memorized an over-long string of numbers and letters the hallmark of a sophisticated user. Instead, authentication at the cutting edge now relies on multiple factors, with just one being a password. Okta is continuing to invest in these new factors to make the end user experience better and more secure, but the starting point is still stronger password management.
The problems with passwords
Imagine a user who has to memorize a lengthy password for a work application like Box and who re-uses it for their personal social media profile. After all, people only want to memorize so much. But if the social media website is breached, and poorly-stored credentials spill out onto the web, the individual's work app is now in jeopardy as well.
Good security practice teaches users not to reuse the same password for work and for personal life. And many try with multiple passwords, but this approach isn’t exempt from problems. Users may try to boost recall by employing passwords that are too weak, and many fail to periodically update their passwords for better security. Moreover, a secure password is often easy to forget, which means users constantly require assistance from the helpdesk to reset. This eats up valuable time and resources from IT personnel and leads to lost productivity as the user waits to gain access.
Working toward better password management
To avoid the problems with passwords, organizations need to make good passwords management mandatory. This is comprised of several things. First is setting policies for users’ password strength and expiration. Okta can set robust policies around password complexity and shelf life to ensure users use secure letter and number combinations and change them frequently. Next is increased automation. Okta syncs passwords between user directories and downstream apps, so when you change the password at the directory level, that change gets propagated to all other apps that use those credentials. IT no longer needs to manually update those credentials. Finally, perhaps counterintuitively, better password management means giving more power to the end users through self service password changes. Enabling self-serve password resets and changes reduces the burden on IT admin, and when done with properly, doesn’t compromise security, while creating a better user experience for the employee.
One simple way to improve your password strategy is to use fewer of them. We’re not saying you should reuse passwords—quite the opposite. Instead, use single sign-on (SSO) to give your team secure access to all the apps they need, just by signing in once.
Consider our work with Funding Circle, for example. After deploying Okta’s Single Sign-On, solution, the financial platform experienced an 80% deflection rate from the IT helpdesk. The solution is clear: organizations need to get beyond the legacy password hassles.
Go beyond passwords with multi-factor authentication
The next logical step is to set up adaptive multi-factor authentication. That way, a user’s password is not the only key to entry—you can verify their identity with a variety of other factors as well. Traditional password management uses single factor authentication: users gain entry to the system with just one code. Multi-factor authentication requires users to present other factors as well, such as an SMS code sent to their phone or an email. These are factors most people are familiar with, but the future holds far more options in store.
Consider biometric factors such as fingerprints. Fingerprint tests recognizes the unique patterns a user's fingerprint and are becoming a more common authentication factor used today. Apple’s TouchID technology on the iPhone is the most widely know, but other devices including Android phones and some laptops and tablets have incorporating fingerprint scanning into their hardware as well.
Other innovations include authentication by voiceprint or by location. Voice recognition has come a long way in the past few years and today’s voice recognition software can distinguish between live speech and recording. Even Barclays Wealth has deployed voice recognition as a primary means of authenticating individuals. Location-based authentication is another technique. GPS and other means can verify that a user is within a safe location, such as an office, and use that as a factor in authentication. Factors like these mean that password management as we know it will continue to evolve.
The next steps in password management evolution
Think of better password management, single sign-on, and multi-factor authentication as the first steps towards a future where the typical headaches of password management are long gone. By setting requirements for better passwords, making user access easy with SSO, and improving security with adaptive multi-factor authentication, organizations can move beyond the hassles of password resets towards more effective, and innovative, password management.