The death of the password is greatly exaggerated. In fact, despite fears that passwords aren’t secure enough and the appearance of alternative methods of authentication such as fingerprint scanners, tokens and smartcards, we are using them more than ever.
According to IDC, in a 10,000 user organisation the average employee will have 14 different corporate passwords to remember; and with more devices and applications being added to the enterprise and the growing popularity of cloud computing, this number is only likely to increase.
Not only do we have more passwords to remember, they are getting more complicated. With growing threats to corporate data from sophisticated attacks and the fear that weak passwords can be compromised, organisations are setting increasingly strong security policies. They may mandate that users cannot use easily discovered words such as pet names or favourite football clubs.
Stronger passwords using at least eight characters, with upper and lower case and including at least one number, is a typical rule, but of course this makes them much harder to recall. And when you add the fact that passwords often have to be changed on a regular basis as part of the company policy, it’s no surprise that forgotten passwords and scheduled password changes can account for up to 25% of a helpdesk’s activity.
Without a doubt, password resets put a strain on IT helpdesk resources, costing between £20 and £40 every time. This can amount to thousands of pounds a year and at a time when IT budgets are more stretched than ever before it’s an area that organisations must address.
It’s not just the strain in IT that needs to be considered. Calling the helpdesk to reset a forgotten password takes time and means users are unproductive while they are locked out. And what happens out of office hours? With an increasingly flexible and mobile workforce it is commonplace for people to be working hours outside the traditional 9-5, or they may simply be in a different time zone. In many cases these users will lose valuable time while they wait until the helpdesk opens.
Anything that can help automate and speed up the password reset process, without compromising security, will cut IT costs and avoid down-time when employees can’t access systems and resources. Web-based self service solutions exist that enable users to reset their passwords online and certainly these can help. Typically, these automated solutions will use a registered email address or known information such as mother’s maiden name to initiate the process.
But it’s not hard to see why these are flawed. Most questions asked are relatively simple for a third party to discover; and in fact sometimes easier than guessing a weak password in the first place. Once a password is reset by a third party, the damage is done.
One way round this is to make the questions harder; but then you are faced with the likelihood that the legitimate user will not remember the answers. An example of this is ‘memorable place’ – unless the user is disciplined in password management, months down the line they may not remember if it was a favourite holiday destination, home town or where they walk the dogs on a Sunday.
This is one of password security’s biggest problems. The more secure you make a system the more difficult it is to gain legitimate access. Getting the balance right is difficult and all too often results in a relaxing of security policy.
Another major problem with web-based solutions is that they require web access. It may well be that the user is locked out of their PC or laptop altogether. And even if they can access the web, the reset may require validation through an email to complete the process. It is also important to remember that accessing the web from an internet café, for example, or ‘borrowing’ a colleague’s PC login could in itself create a security hole with no audit trail.
In an attempt to find another way, a new generation of password reset solutions have emerged that attempt to overcome the problems with simple web-based solutions, while also ensuring that password resets are automated, quick and easy and don’t compromise either security or productivity.
With new self-service solutions, such as HTKs hosted password reset service, users simply call an IVR (Interactive Voice Response) service and are taken through a set of pre-defined steps for identification and verification. This enables multi-factor security to be defined and set up without the need for users to remember complicated Q&As or carry a dedicated security token.
Organisations simply choose from a range authentication options, depending on the level of security required, including recognition of the registered phone number, the keyed-entry of digits, biometric speaker verification using a pre-enrolled pass-phrase, and even a ‘challenge-question and response’ using SMS text messaging.
This gives organisations the flexibility to tailor authentication options to specific user-groups and, depending on the level of access required and the sensitivity of the data, to provide an optimal blend of security and convenience.
The use of voice recognition is made possible by the recent advances in the latest IVR-based biometric technology that can achieve an ‘equal-error rate’ of just 3%. But these systems can also be configured to ask for additional information – such as a numeric PIN – if the confidence-level is below a defined threshold.
SMS and email notifications can also be configured to let users know that their password has been reset, or to alert a system administrator when a reset has been attempted but blocked. Having this ability to deliver a range of real-time notifications adds a further layer of security and confidence.
Any biometric password reset solution should be integrated with corporate directories such as Microsoft Active Directory, LDAP and other password systems and be certified with the ISO27001 international standard for information security management.
Getting the balance right between ensuring passwords can be easily reset at any time, in any place, while also ensuring that security policy is not relaxed, no longer has to mean a compromise or a time-consuming and expensive 24/7 helpdesk. By implementing an IVR-based service the problems are solved; not only cutting the time and cost in dealing with password resets, but ensuring that that users always have a fast and convenient way to secure access to their corporate networks.