CISOs say advanced authentication methods must be used with traditional passwords
A group of leading Chief Information Security Officer’s (CISOs) say that days are numbered for the password as the sole authentication method and that advanced authentication methods must be used in tandem with traditional passwords, according to a recent report by Security Current.
Security Current is an information and collaboration company by CISOs producing proprietary content and events for CISOs.
Ten CISOs from across various industries weighed in on the topic, with most seeing enterprises moving to augment or supplement traditional passwords with advanced technologies, such as biometrics.
Participating CISOs included: Frank Bradshaw, CISO, Valley Health System; Chris Bullock, CISO, Aaron’s, Inc.; Jonathan Chow, CISO, Live Nation Entertainment; Michael Dent, CISO, Fairfax County Government; Nikk Gilbert, Director of Global Information Protection and Assurance, ConocoPhillips; John Masserini, CSO, MIAX Options; Pritesh Parekh, VP and CSO, Zuora; Jim Routh, CSO, Aetna; Hussein Syed, CISO, Barnabas Health, and; Christine Vanderpool, CISO, Molson Coors.
The report says that CISOs agree that passwords are inherently flawed because they depend on users to create and remember complex sequences of letters, numbers and characters while users tend to select sequences that are easy to remember, and often easy to crack.
“Despite industry-wide efforts to reinforce this method of authentication and the number of methods available to encrypt and store passwords, the fact that remains is that creating good passwords – and safeguarding them – is as difficult as rocket science,” said Nikk Gilbert, ConocoPhillips Director of Global Information Protection and Assurance.
However, Aaron’s CISO Chris Bullock suggests passwords are a necessary layer in a multi-faceted authentication solution. “Just like the locks on our front doors can’t stop a determined burglar or home invader 100% of the time, we continue to invest in door locks and alarms to protect our property,” said Bullock. “When used correctly, passwords can still be an effective layer of defense, yet we should continue to innovate in the area of authentication.”
Next generation technology, such as biometrics, and adaptive cognitive and behavioral techniques, can reduce risk and provide a relatively seamless user experience but there is general consensus among CISOs that although the industry will continue to innovate and evolve no method will work 100% of the time.
“Biometrics or multi-leveled, behavioral-based techniques will improve the future of authentication,” said Molson Coors CISO Christine Vanderpool. “But managing appropriate levels of access is also critical to data protection because at the end of the day, the bad actors will continue to find ways to steal the information you are protecting if they want it badly enough.”