The threat caused by weak passwords or illegally obtained username/password combinations through data breaches and computer system compromises poses a serious issue in today’s cyber risk environment. Cyber insurers see the abuse of compromised credentials as one of the major causes for claims, in particular ransomware claims. The current best practices that aim for unique passwords across multiple systems and frequent password changes seem to fail to sufficiently address the risk and seriously impede the user experience. Passwordless authentication (i.e., authentication that does not rely on a knowledge-based secret) might offer an alternative to the current dilemma.
Compared with businesses, the challenge that educational institutions face in this context is one of added complexity, looking at the accounts they need to maintain for their enterprise network, student and teacher network, research networks, public access networks, their cloud infrastructure, etc. Responsibilities often vary, and one often finds a rather decentralized approach to account management while permitting connectivity from one network into the other, as well as across educational institutions. Such a complexity presents attackers with a very tempting attack surface—waiting to be exploited by them—as has been made evident by a higher number of cyber attacks on educational institutions.
For the longest time, looking at authentication, the balance between security and convenience was achieved with proper password policies. Best practices, industry standards, emerging prescriptive regulations, and the involvement of cyber insurers have pushed the pendulum strongly toward additional security requirements. At first, this led to the proliferation of multifactor authentication, which addressed the immediate short-term improvements while potentially creating a pathway for more long-term and holistic solutions. Solutions that use authentication requiring username and password, or username, password, and multifactor methods, etc. based on the device that is being used, the location of the user/device, and other factors are another step in such a direction. This approach is often combined with the recent concept of zero trust that is based on the idea of “never trust, always verify,” meaning that it constantly reauthenticates a user in efforts to hamper an attacker who utilizes a compromised user ID as much as possible in their ability to move throughout a given network or even across networks.
The underlying paradigm, however, still relies on secrets that users need to keep.
Passwordless authentication works by replacing passwords with other authentication factors such as biometrics or possession factors (e.g., one-time password), increasing the security posture of the institution, IT simplification, and improving the user experience.
Educational institutions, with their diverse groups of users and their leading research abilities, have the capability to establish a new paradigm of secure authentication while increasing usability and convenience.
Solving the problem of authentication and eradicating passwords could present a large step in reducing the attack surface of a given educational institution. It would help make such an institution a more attractive risk to cyber insurers.
Sebastian Hess is a cyber risk advisor at AIG, an AGB sustaining partner.
AIG References and Resources
AIG newsroom story: As Cyberattacks Rise, So Do New Ways of Evaluating Risk
AIG resource: Cyber Insurance
AIG resource: Ransomware
Opinions expressed in AGB blogs are those of the authors and not necessarily those of the institutions that employ them or of AGB.