Let’s talk about Kanye.
You might remember that he was featured on international news when he entered his phone password on live TV. But the part that earned him national mockery was the password itself: 000000.
It’s easy to laugh at the example he set, but, unfortunately, his attitude towards security is similar to many people today. And when your employees are using poor password practices, it can put you, your team, and your customers at risk.
Navigating the desired path
People tend to go where they want to––and if a path isn’t built, they will forge ‘desired paths’ to get there. This also happens in enterprise IT, where users often use shortcuts that might compromise security, like Kanye did. While these desired paths might be annoying to your IT team, they’re actually indicative of problems in the user experience and uncover valuable information about what users want—such as easy access to their apps and devices.
By embracing these desired paths, you can create security and compliance models that understand the end user, and thus, drive adoption. Whether that means a simple change like lengthening a login session time from 4 hours to 8 hours or investing in solutions that make your applications faster and easier to use, it’ll be worth it.
As one example, HackerOne has embraced desired paths by implementing a single sign-on “SSO or No Go” strategy by keeping everyone at just two passwords: one for their laptop and one for app access. They have also implemented multi-factor authentication (MFA), driving ease of use by enabling push-based authentication, rather than SMS messages or OTPs.
Security and user experience can go hand-in-hand
As an example, to help make security easy for their users, Okta uses NIST best practices and FedRAMP requirements for end-user security controls, including password strength/complexity. In addition, Okta requires employees to use MFA every time they log in from any location, through Okta Verify with Push or Yubikey. But how do you do all of this without pushing end-users past their Security Friction Threshold?
One solution is to emphasize password length over complexity. To make a complex password, users often take a base word and swap out letters for symbols which is hard for humans to remember, but ironically easy for computers to break.
Password-cracking programs can easily try different combinations for an 11 character password like Tr0ub4dor&3; it barely slows them down. Taking multiple common words and linking them together, however, becomes exponentially harder to crack by virtue of having more characters.
An even better solution? Take away the need to remember handfuls of passwords with single sign-on (SSO). In addition to reducing how many passwords people have to deal with, SSO also makes for easy password sharing—without having a spreadsheet on a non-secured server or a sticky note on your monitor. Taking things a step further, MFA protects against password theft, and avoiding SMS and manually entered TOTP (time-based one-time passcodes) closes off possible security vulnerability points.
Keeping your end-users happy and security at an all-time high — so that no Kanye’s can ruin it for everyone else — is as simple as that! This post is based on a breakout session at Okta’s annual user conference, Oktane19, by Aaron Zander, Head of IT at HackerOne. Check out videos of more of Oktane19 sessions here.