Passwords no longer 'a necessary evil'
The first step for cyber security no longer has to be the password, according to a key figure at Secret Double Octopus.
Amit Rahav is VP of marketing and business development at the pioneer of password-free, keyless authentication technology which allows users to gain access to systems through their mobiles.
Rahav says this is vital as passwords are no longer cutting the mustard. “Passwords have been a necessary evil that’s been taken for granted for many years,” he told BusinessCloud.
“They’re a source of grief for users, especially recently as they need changing more frequently, and are becoming longer and more complex.
“Yet we keep hearing about security breaches, about millions of passwords being stolen and companies getting the wrong kinds of headlines because one of their employees made a mistake and put out the wrong password.
“The entire company’s security depends on each employee’s adherence to some very complex guidelines and they don’t come naturally to anyone.”
While two-factor authentication (2FA) is being touted as the answer, Rahav says it’s important to take that one step further as breaches are still happening.
“For the first time, the first factor in that process is no longer a password,” he said.
“Our customers’ employees start their computer and access everything they need. They finish their day and haven’t typed in a password. They finish the year without having to change a single password but have much stronger security.
“We see it as the evolution of authentication, where the first factor is an app as your phone is always with you. It’s connected to your identity and all the systems in your company.”
Rahav says the company is aiming to have this process up and running via Bluetooth so the phone and computer will talk to each other and grant access when the employee is near without them having to touch a button.
Thanks to the nature of multi-factor authentication however, other means of access – for example, a fingerprint – are still necessary for login so if a phone is stolen access won’t be granted.
“If a password is needed it’ll make a random password on my behalf and can even change that every few days,” said Rahav.
“We worked with a Telecoms company which implemented a strict password policy but the technicians were forgetting their passwords to the point where one out of five a month was being locked out of their device, resulting in its complete erasure because the system assumed it was stolen.”
The company ensures no employee information is shared but stays on premise with the company, instead using the cloud as a middle-man to connect the dots. This approach will be the norm in future believes Rahav.
“GDPR is a great example of putting the accountability on the company,” he said.
“In the past businesses had guidelines for putting cyber security procedures in place, now they’re accountable for breaches so they can’t just say ‘I did what I was asked’.
“Management is completely dependent on every last employee having good password security. It only takes one saying ‘I’ll just use 1234567 and fix it later’. Sure you will.”
This means businesses need to get on board with a whole different paradigm and not create any opportunities for human error.
“It’s always going to be humans allowing the breaches,” he said. “The machines are fine, they’re going to do what they’re told. The hackers are going to get in through humans making shortcuts.”