Any information system relies on access policies for operations with named subjects (users) and objects (data, resources, and services). The two pillars of access and identity management are user identification and user authentication. Authentication bears particular significance, being the last security barrier for malicious users who were able to obtain a legitimate user ID.
Password-based authentication remains the most popular access management technology. However, this technology does have a number of important disadvantages:
- You need a security incident to actually occur to learn that your password has been compromised. Intruders are less than likely to be willing to openly show their presence in your network. On the contrary, they will do their best to disguise their activity and the fact that authentication data has been compromised, as long as possible.
- Remote work only increases the risk of having your passwords compromised since it permits access from any devices, including uncontrolled ones.
- Passwords are highly vulnerable to social engineering techniques when various manipulations are used to coerce the users to directly or indirectly disclose their password to the intruder.
- Access blocking after a specified number of failed attempts may be disabled for some corporate resources, especially for local sessions. This means that such systems and services may be vulnerable to various password-cracking methods.
Another weak point of password management software lies in the fact that each information system or service may use its own authentication subsystem. This may cause further problems and reduce labor productivity:
- Users need to remember and enter multiple passwords.
- System administrators have to address a number of tasks:
- Keep all users and their authenticators under control.
- Respond to failures in different user authentication subsystems.
- Monitor access events across multiple subsystems.
- Reset forgotten user passwords.
Another factor deserves special attention: foreign media constantly feature news about leaked user account databases (containing logins and passwords) that later become available for sale on private web resources.
All issues and vulnerabilities related to password-based authentication can be solved by introducing a single comprehensive authentication management system. Such systems should be able to perform the following tasks:
- Support additional types of authentication (that do not share the weak points of password management systems).
- Enable centralized management of authenticators and access to corporate resources.
- Offer the same set of authenticators for all corporate resources.
- Ensure centralized monitoring of all access-related security events.