For eight years, World Password Day has served the important purpose of reminding users to change and secure their passwords to protect identities, data and systems. Today, however, passwords are only one piece of a much bigger login security puzzle that includes Single Sign-On (SSO), social logins, and passwordless strategies. As a result, focusing only on passwords as the key security issue to keep in mind may be doing more harm than good.
If we want this annual security event to continue serving the purpose for which it was created, we should change the celebration on the first Thursday in May to “World Secure Sign-On Day” – encouraging both businesses and individuals to take stock of their security position and access control practices.
The world is changing, and these trends are important
Over the last couple of years, we have seen a continuous and steady movement towards cloud-based identity and access management solutions from the likes of Microsoft, Okta, Auth0, Google and Amazon. Even previously on-premises tools like Ping Identity are building cloud solutions. These tools offer SSO and other strategies to minimize the reliance on passwords.
While newer enterprises that are 100% cloud can take full advantage of these solutions, larger and older enterprises still rely on on-premises and home-grown apps. This means they’re forced to implement one identity solution for some applications and another for their SaaS solutions. This bifurcation burdens users with a hodgepodge of tools instead of a single streamlined solution that could simplify signing into applications and allow them to be more productive. It’s a terrible model that means users still have to remember, protect and change dozens, even hundreds, of passwords.
Another significant trend is encapsulated in Gartner’s Customer Identity and Access Management (CIAM) model – the need to manage authentication and authorization of customer identities. It’s far easier and more practical to control how employees access business systems – though securing passwords is clearly harder than we imagined – but as more companies extend their data into self-service-powered customer and partner ecosystems, things get even trickier. B2B and B2C are morphing into B2x, and suddenly different entities and individuals outside an organization – and sometimes a lot of them – need to be authenticated and authorized into highly valuable data.
It’s not realistic to think about IAM as only an internal-facing tool, and the simple password is now wholly inadequate as the palace guardian. In fact, OWASP ranks Broken Access Control as the most common application vulnerability – a clear indication of the importance and challenge of ensuring strong access controls are in place and that businesses have the ability to implement a “least privilege access” strategy.
Here’s what businesses need to think about on World Secure Sign-On Day
Ease of use – The strategy or platform a business adopts for authentication and authorization must make it easy for end users to access applications. No matter how secure a solution is, if it is frustrating for users, they’ll find ways around it. Or they won’t access the system at all, which may be good for security but terrible for the business. The platform must also be easy to administer and accommodate change and shouldn’t require a lot of time or resources to maintain. Otherwise, the solution could just end up becoming a critical choke point in providing access to vital services.
Ecosystem – In our hybrid multi-cloud world, it’s rare that you can build an end-to-end business process using a single tool or vendor. Successful businesses today rely on collaboration and new ecosystems to bring together the best-of-breed tools they need for their environment and business model. This is true when it comes to security. Businesses, especially those building a CIAM model, need to choose tools that integrate quickly with all their other apps and tools.
Future proofing – Plan today for the type of connections and security protocols you’ll need to rely on tomorrow. IAM will never be “one and done.” Though easier than the alternative (hard coding), APIs and SDKs are simply not that easy to use. Vendors say it will take a few days or weeks to fully implement a system, but we’re seeing teams spending three to four months building all the integrations and supporting all the security protocols they need. Further, when non-security experts try to use APIs and SDKs, they often introduce security vulnerabilities into the enterprise.
The only certainty is change. Zoom, for instance, has quickly evolved from email/password-based credentials only, to enabling social logins, to now letting enterprises connect their SSO solutions, such as Okta or Azure AD. What’s next? Taking months and massive amounts of engineering time to adapt to every change distracts developers from implementing new features and lengthens the time to value for customers. Embracing change, planning ahead, and looking for strategies that accelerate delivery and remove friction are the keys to future-proofing your secure sign-on environment. Any code that is written must be maintained.
Here’s what individuals need to think about on World Secure Sign-On Day
Follow password best practices – If you still need to rely on passwords for the next few years, all the old advice still applies.
- Change passwords regularly and make them long and strong.
- Don’t share passwords, and don’t store them on your computer or phone
- Log off when you’re done with a program or application.
- When available, turn on two-factor authentication for important accounts.
Reduce reliance on passwords – It’s also important to reduce your reliance on passwords wherever possible. For example, using social logins when available reduces the number of passwords you’ll need to keep track of and change. If a passwordless option is available, take advantage of it.
Take responsibility – The reason World Password Day has been so important is that too many users fail to take security seriously. But the more of our lives and businesses that we digitize, the greater the security threat is. It is now more important than ever to understand cyber risks, whether it’s to your personal data or your company’s, and take responsibility for security. If your company offers security and privacy training, pay attention to it and heed the advice!
In a simpler time when users just needed to protect a handful of passwords to help keep their personal and business applications and data secure, World Password Day made a lot of sense. But this should be the last year we limit the first Thursday in May to just passwords. The world is far more complicated now, and World Secure Sign-On Day will present a greater opportunity for businesses and individuals to focus on all the elements of authentication and authorization required to secure access to applications and data.