Stepping Away from the Static
Even in 2021, in a world where authentication is a large part of cybersecurity measures, the password has still become the cornerstone for accessing websites, applications, and other common logins. In the recent Raconteur publication, "Future of Authentication", they report that Username/Password is still a key identity and access management (IAM) service in 73% of smaller organizations, and 45% in larger organizations. On the flip side of that, most IT professionals (48%) viewed it as moderately secure or below compared to other methods. So while passwords are clearly not the most secure, they are still the most widely used.
When mentioning the term "password", we think about the static password, the one that stays the same until we have to change it, based on company password policies or being a victim of a cyberattack. Regardless, there are many rules now to passwords, having to get to 13 characters, adding special characters, numbers, and a capital letter. Yet, no matter how strong this static password is, it still remains the same, meaning even with a strong password, it can be easily hacked. See, hacking static passwords is not a difficult task for even your typical attacker, no matter how annoyingly strong your password may be. Commonly used techniques such as dictionary or brute force are often enough going to get the job done. If your password is left unchanged, it is really a matter of time before it can be cracked.
Moving into the Dynamic
A step in the right direction is to move from a static password to a dynamic one. First, what is a dynamic password? The basic definition of a dynamic password is a password that does not remain the same, meaning it will constantly change.
Questions like, "That's a huge inconvenience. Constantly changing my password? Do I have to remember new complex passwords every day? As if, $$$sdoiut-snb5!-sadhfg was not hard enough, and you're telling me that the best security option for passwords is one that changes daily?!"
Changing your password constantly is a very enormous hassle, but fortunately, that is not the meaning of a dynamic password, and in fact, you may already be using dynamic passwords today. Imagine you access your banking application, and it sends you a code to your phone, and you have to input that code from your phone to access the banking application. Already, that is a dynamic password. These are called OTPs or One Time Passwords, and these are a commonly used type of dynamic password - a machine-generated, random string that is used only once to authenticate.
The way that dynamic passwords work is based on the authentication method, it will send you a code that only works once, expires within a short time period, and makes it more difficult for hackers to access your account. Common examples of authenticators that use OTPs are Google Authenticator and Microsoft Authenticator which give you a 6 digit code that you have one minute to use to access a login like SalesForce.
Dynamic passwords are convenient because they do not have to be remembered, and because the password is never the same, they serve as a major roadblock for hackers who may be looking to break into user accounts. It is time for the lovers of static passwords to face the facts - the static password will become extinct.
Dynamic options provide flexibility
Having dynamic passwords is one thing, but how they are delivered is another. It is key to not only implement dynamic passwords but also make sure that the method a user is provided with is easy for them to use. For example, many OTPs are sent or provided on a mobile device. Recent studies however show that oftentimes populations of users, both employees, and customers, are unable to use phone-based methods.
When looking for a multi-factor authentication solution or just a better alternative to passwords, it is key to make sure that it has multiple options to create flexibility for you and your users. PortalGuard IDaaS is one of those solutions with support for over 15 authentication methods, with a good amount of them delivering OTPs as a login method like Hardware Tokens, SMS OTP, and Email which all validate the PortalGuard system for login access. In addition, going beyond dynamic passwords and getting to a "passwordless" option, PortalGuard also offers biometric authentication which is one of the most secure and convenient ways to secure access.
While dynamic passwords are not the newest innovation in cybersecurity, it is a big part in fighting against hackers looking for an easy cyberattack opportunity.