Toughening up

Many organizations are decreasing their reliance on usernames and passwords for user authentication and learning more about the benefits of deploying strong user authentication to increase the level of assurance for online identities, as part of an overall approach to securing access to information and managing risk.

Companies should select and deploy strong user authentication solutions based on their assessment of the optimal balance between security, total cost of ownership (TCO), and alignment with the end-user populations and applications being supported.

The problems with passwords Aberdeen's research indicates that virtually all organizations surveyed (98 percent) indicate continued reliance on usernames and passwords for authenticating end users to control access to systems, networks, data, and applications. Nearly half (48 percent) of all respondents, however, have also deployed at least one stronger, non-password method of user authentication (Figure 1)

Figure 1: Current password practices

Source: Aberdeen Group, March 2008

A majority of all respondents have taken steps to strengthen the security of passwords, for example:

• Requirements for length (71 percent), complexity (62 percent), and frequency of change (36 percent)
• Restrictions on re-use (58 percent)
• Exclusion of standard dictionary terms (55 percent)

All of these steps enhance the security of passwords, but at the same time they make passwords more cumbersome for end users. Passwords that are more difficult to guess are also more difficult to remember. Natural coping mechanisms include writing them down (which weakens security) and relying on calls to the help desk (which increases cost). Shockingly, nearly two-thirds of all respondents (64 percent) currently do not even require passwords to be changed. It should go without saying that none of the resulting risks, costs, and inconveniences were the formal intent of management in establishing current user authentication policies based on passwords.

The sheer number of passwords amplifies the problem. In a typical day in the life of an average enterprise knowledge worker, she may be required to use a half-dozen passwords or more in the normal course of Windows logon, data encryption, remote access (e.g., VPN or SSL VPN), WiFi access, e-mail, web-based applications or portals, and back-office applications (e.g., HR or ERP). In addition, smaller subsets of users may use passwords to access privileged accounts (i.e., administrative functions) or to execute high-value transactions. The current research indicates that about nine out of 10 (88 percent) enterprise users have multiple work-related passwords.

The top pressures driving organizations to focus resources on evaluating and implementing stronger, non-password forms of user authentication are those Aberdeen has seen in virtually all security benchmark studies over the past year (Figure 2). Risks, regulations, internal policies, and industry best practices and standards continue to be the leading market drivers, along with "protecting the organization and its brand."

Figure 2: Leading drivers for strong user authentication initiatives by top performing organizations

Source: Aberdeen Group, March 2008

“Reduce cost” is a more recently emerging theme seen in Aberdeen’s security research, but worthy of special note as a driver for investments in assuring identities given the common (mis)perception that passwords are "free." Our November 2007 report on Security Governance and Risk Management first showed that top performing organizations have begun to develop security Governance, Risk management and Compliance (GRC) processes to more effectively allocate their finite IT resources and activities based on their business objectives and on acceptable levels of risk.

Effective strategies

Strategies based on establishing and enforcing consistent policies for user authentication correlate most highly with current investments in strong user authentication (Figure 3). In addition, the research shows that the top performers were 24 percent more likely to identify an explicit strategy to reduce the total cost of managing user authentication credentials as a driver for current investment.

With respect to selecting and implementing specific strong user authentication methods, the data reveals three distinct strategic approaches:

• The right tool for the job. The first approach is to implement user authentication methods that are deemed most appropriate for each application and end-user population. An organization, for example, might use hardware tokens for administrative access to privileged accounts, digital certificates for employee remote access over VPN, and heuristic, risk-based scoring for online access by external customers. In this approach, management of these systems would traditionally be done independently.
• One for all. A second approach is to strive towards a common user authentication method for all applications and end-user populations. An example of this is a US federal government agency that issues smart cards in compliance with HSPD-12, as described in the December 2007 Logical / Physical Security Convergence: Is It in the Cards? benchmark report.
• Common platform. A third approach is to move towards a common user authentication infrastructure that can manage multiple user authentication methods. The same example can be used of a company that deploys hardware tokens, digital certificates, and heuristic, risk-based scoring for different populations and purposes. The difference in this case is that the company would strive to implement a common back-end to create and enforce policies and to manage authentication credentials more consistently over their lifecycle.

We have seen, as a consistent theme across multiple studies, a strong correlation between top performance and a deliberate shift away from tactical, siloed deployments towards a more centralized infrastructure for sustainable, "continuous," security GRC. While these capabilities are still nascent, even among the top performing companies, we clearly see them in the context of providing higher assurance for user identities through the deployment of strong user authentication.

Figure 3: Strategies driving current investments

Source: Aberdeen Group, March 2008

The common platform strategy is well-aligned with the motivation to reduce the cost of managing existing strong authentication deployments: most of the top performing organizations have currently deployed at least one strong user authentication method in addition to username / password, and almost half have deployed two or more strong authentication methods (Figure 4). Replacing existing solutions with interoperable, more cost-effective alternatives is another example of cost reduction surfaced through direct interviews.

Figure 4: Top performers have deployed strong authentication

Source: Aberdeen Group, March 2008

The research demonstrates that passwords continue to be a problem, and that a rich diversity of strong authentication alternatives will continue to be available in the market. Organizations that deploy at least one strong authentication method should make an informed choice based on their own unique balance of preferences and solution attributes. In addition, they should give deliberate thought to the strategic choice they are making, between a variety of methods each with their own back-end; versus a single method for all users; versus a variety of methods with a common back-end. Solutions providers will likely evolve into "authentication specialists" who innovate around specific methods, and "authentication platforms" which can enable common support and lifecycle management for multiple methods.

We have seen that the market presents organizations with a bountiful bouquet of alternatives for strong user authentication, each with its own unique balance of attributes. Marketing messages can sometimes take on a near-religious flavor, as specialist vendors promote the advantages of their own method or attack the disadvantages of an alternative method. The four high-level categories of TCO, fit for end-users, fit for the organization, and strategic fit provide a useful framework for comparing and contrasting one strong authentication method to another. Tradeoffs are, and will continue to be, the name of the game for their ultimate selection. The good news for buyers is that the general trend is towards continued variety, flexibility, and choice with respect to user authentication method. The "right" strong user authentication is not something to make a decision about by listening to the loudest marketing messages, but instead by finding the unique balance of solution attributes and organizational attributes that make up the selection criteria for your use case and your organization.

Independent of which user authentication method(s) are deployed, however, top performing organizations have excelled relative to their counterparts at managing user authentication credentials throughout their natural lifecycle. In some cases, this will favor a more ecumenical, platform-oriented approach. Among the four high-level categories of provisioning, user support, de-provisioning, and operations/management, research shows that the best performance overall is currently in the front-end aspects of provisioning. The biggest opportunities for improvement are currently in the areas of end-user self-service and extracting intelligence (e.g., management and reporting on credential usage) from the authentication solution. Organizations should look both to expand the deployment of strong user authentication and to improve credential lifecycle management for their unique environments.

The foundations on which the results achieved by top performers are built include consistent policies for user authentication and authorization, along with clear accountability and ownership for both policy and credential lifecycle management. Providing higher assurance for identities through strong user authentication is an important element of protecting information and managing risk. As shown in our research, those that do so are better able to realize the business benefits of better security, sustained compliance, reduced human error, reduced help desk calls, and lower total cost of management
For more information on this or other research topics, please visit www.aberdeen.com.

About Derek Brink
Derek Brink is VP and Research Director – IT Security. Before joining Aberdeen, Brink was RSA Security's VP of Strategy and Corporate Development, and was earlier the product line director for RSA SecurID. Prior to RSA, his experience includes director of marketing at Gradient Technologies (now Entegrity); various marketing and business development positions with Transarc Corporation (a subsidiary of IBM); corporate marketing with Sun Microsystems; and a variety of technical sales and field marketing positions with Hewlett-Packard. He began his professional career as an analyst for the Central Intelligence Agency.

Derek was an active member of the five-company team that co-founded the PKI Forum, and as RSA Security's representative was a member of the PKI Forum Executive Board and subsequently the Steering Committee for the OASIS Member Section on PKI. He is co-author of the book PKI: Implementing and Managing E-Security.

About Tom Karol
Tom Carol is a Research Associate in Aberdeen's Technology Markets practice area. He has over 20 years of experience in Information Technology, initially as an IBM mainframe Systems Programmer, and subsequently as an internal consultant focusing on systems integration, strategic analysis, research, and documentation. Tom spent the major portion of his career first at Analog Devices Inc. and then at the Stop & Shop Supermarket Company. More recently, Tom worked as a Technical Writer/Editor in a Network Design context.