Thales Blog

Let’s Get One Thing Straight: Passwords AREN’T the Best Authentication Method

May 6, 2020

Dirk Geeraerts Dirk Geeraerts | Security Evangelist More About This Author >

The COVID-19 pandemic has taught organizations that having staff work from home comes with its benefits. It’s even likely that having a remote workforce could be more acceptable for many organizations in the future. That being said, organizations can’t leave their remote workforce to fend for themselves. No one would leave a bank unprotected by neglecting to put security glass and guards in place. Similarly, they wouldn’t want to give a company car to an employee without making sure that it’s protected by insurance.

This same forethought should extend to digital security. That is to say, organizations should provide strong access management controls to remote workers in the same way that they provide them with a laptop. They can fund these security measures by reinvesting budget that they’re saving by having employees work remotely

The question is, are organizations making these necessary investments? Or are they still holding onto outdated technologies in the hope that they’ll stay secure?

To find out, Thales interviewed 400 IT decision makers (ITDMs) in Europe and the Middle East at the beginning of 2020. As revealed in the 2020 Thales Access Management Index-Europe and Middle East Edition, their responses illuminated the types of access management practices that are implemented within European and the Middle Eastern organizations. They also illustrated organizations’ plans concerning access management and authentication going forward.

Strong Awareness of the Need for Strong Authentication

Organizations are well aware of the need for robust authentication measures. Indeed, 96% of survey respondents said they could use strong authentication and access management solutions to help their employers securely migrate to the cloud. That belief is significant given the fact that more than half (55%) of ITDMs felt that cloud applications constituted the second-highest target of a cyberattack. (Unprotected infrastructure garnered the greatest amount of attention at 57%.)

Even so, participants in Thales’s study didn’t necessarily have an eye towards modernizing their authentication measures. More than a quarter (29%) of respondents indicated to Thales how they felt that traditional credential sets consisting of usernames and passwords were still the best means to protect their organizations’ IT environments. Even more concerning, two-thirds of ITDMs said it was their plan to expand their organizations’ use of passwords and usernames sometime in the future.

As more and more businesses move to adopt cloud-based services for CRM, email, employee collaboration and IT infrastructure as part of their digital transformation strategies, the struggle to extend old solutions, designed to protect internal resources, to the outside world becomes very problematic. Often, in an effort to adapt to the new working habits of users connecting from anywhere, businesses tend to revert back to old password-based logins for cloud services in despair, knowingly increasing their security exposure to credential stuffing and phishing attacks.

Plans for the Future

Fortunately, there’s some hope for the future. Thales’s study revealed that 94% of ITDMs changed their organizations’ security policies around access management during the past year. Respondents also reported increased focus on training for security access management (47%), spending on access management (43%) and making access management a board priority (37%).

For a long time, the biggest battle IT leaders have faced is increasing board awareness around taking the threat of security seriously. Now they have that buy in, the focus should be on highlighting to the powers that be, the importance access management plays in implementing a Zero Trust security policy. With this in place, risk management professionals will be able to put in place a ‘Protect Everywhere - Trust Nobody’ approach as they expand in the cloud.

But how can organizations realize this Zero Trust Model in their own environments?

For more on this question and how two-factor authentication, single sign-on and other modern versions of authentication lay the groundwork for the future of access management, listen to our webcast.