jspωiki
Web Blog_blogentry_240317_1

2017-03-24#

Enough is Enough[1]#

I am sick and tired when I see statements like: "When considering that users' inability to properly protect and manage passwords causes over 90% of cyber attacks, it is evident that our current IAM approach which mostly uses passwords for authentication cannot support the security of the future state where many devices will be interconnected," says Henry Bagdasarian, Founder of Identity Management Institute and cybersecurity thought leader."

Where i have an issue is: "When considering that users' inability to properly protect and manage passwords".

First let look at: the " inability to properly protect and manage passwords".

So "user's" are told to:

  • user strong passwords (generally this means password more than 10 characters)
  • do not use the same password on any other of the 200+ sites you visit
  • Many times users are told to change their password every so many days.

And we think anyone can do this and still remember passwords?

The problem is not the user's "inability to properly protect and manage passwords", it is that that IAM professionals would even consider this is an accomplishable feat.

The IAM Professionals have failed to deliver or implement a reasonable alternative.

The article goes on and says "Identity Management Institute predicts that organizations will slowly move away from passwords". No kidding? That has been said for more than 10 years.

Perhaps a better question is why are so many Service Providers still asking for passwords and keeping PII data? We have very strong Authentication abilities now with the use of OpenID Connect and Social Identity Providers which many offer Multi-Factor Authentication where the credentials are never revealed to the Service Provider.

More Information#

There might be more information for this subject on one of the following: ...nobody