Q&A: A passwordless future for enterprise security? Special

Posted Sep 7, 2019 by Tim Sandle
There is a growing shift toward a passwordless future for enterprise security as most hacking-related company breaches are traced back to compromised and weak credentials, according to Matt Davey, COO of 1Password. But is this the right option?
Graphic showing the different ways that numerical data is expressed in different cultures (Barbican ...
Graphic showing the different ways that numerical data is expressed in different cultures (Barbican Centre, London).
A Verizon Data Breach Investigations Report found that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. This means that password management for businesses remains a key security issue. To develop alternatives to passwords, the much-discussed zero sign-on technologies and authentication methods such as face and fingerprints are not necessarily as secure as traditional password measures, and half the time they take six tries to log you in, as Matt Davey explains.
In an interview with Digital Journal, Davey questions whether people actually going to carry physical security keys every day to log into their desktops? Instead he recommends that enterprises should focus on mastering password management, before they give up on it and fail at passwordless-ness.
To discuss the subject of passwords and authentication, Digital Journal spoke with Matt Davey, COO of 1Password.
Digital Journal: How common are cyberattacks on businesses?
Matt Davey: Cyberattacks have been growing in size, severity, and frequency for years. Recently, major companies like Capital One, Marriott, Facebook, and Quora have made the headlines after suffering large-scale breaches that exposed the personal information of millions of customers.
And when you consider that some data breaches aren’t discovered until customer information is released on the dark web years later, like with the Collection #1-6 data dumps we saw in January and February, it’s clear that the number of cyberattacks over any given period is going to be higher than what’s reported.
Data breaches are certainly common, and businesses — however small — need to take precautions.
DJ: To what extent are hacks related to weak passwords?
Davey: Around 80% of data breaches are the result of weak, reused, or stolen passwords. Reusing a password creates more opportunities for it to be stolen — and, if that password is compromised, it opens the door to every account it’s used for.
The difficulty businesses face is that without a password manager, it’s very difficult for employees to remember strong, unique passwords for every website they use at work and at home. And if using good passwords is an inconvenience, employees will use weak or duplicate ones, putting businesses at risk of a costly breach.
DJ: How can businesses ensure that passwords are strengthened?
Davey: Education is a key factor, but so is empowerment. Arming employees with the knowledge and tools they need to keep their accounts safe, and giving them ownership over their online security, is the most effective way to guard against data breaches in future.
Practically, rolling out a password manager is the best thing businesses can do to ensure stronger passwords are used at work. Password managers can create strong, unique passwords for each account, warn you when your passwords are included in data breaches, and facilitate secure sharing (as opposed to sharing via insecure methods like shared spreadsheet, IM, or email).
DJ: How often should passwords be changed?
Davey: IT professionals used to recommend changing passwords every few months — the idea being that it keeps hackers scrambling to get your password and access your data.
The truth is, enforcing regular password changes can leave your business more vulnerable to data breaches than not. When asked to change passwords regularly, employees tend to use simple, sequential passwords (e.g. Password1, Password2), which are easy to guess and crack.
Best practice is to only change passwords if you have reason to believe they are vulnerable in some way: either reused, weak, or compromised.
DJ: How effective are alternatives to the traditional keyboard entered password, like face and fingerprints?
Davey: Tech is making effective use of fingerprint, face, voice, iris, and even vein recognition as a way of unlocking accounts. But biometrics have their drawbacks — you can't change your face or fingerprint in case of a breach.
Biometrics are most effective when used in tandem with a password, rather than as a replacement. Biometrics are a reliable additional authentication factor, so using them as part of multi-factor identification strengthens security.
DJ: What services does 1Password provide to assist with the security process?
Davey: 1Password makes it easy for employees to create, store, and use strong passwords at work. It can also be used as an authenticator for sites with 2FA.
Watchtower, which is built into 1Password, alerts you when sites you use are involved in a data breach, so you can secure accounts right away. It also checks for weak, compromised, and duplicate passwords and lets you know which sites are missing two-factor authentication or using unsecured HTTP.
When you use 1Password, each employee gets a free 1Password Families membership for as long as they’re with the company — because when people practice secure password habits at home, they’ll be more secure at work.