It's Time To Lose the Passwords!
Admit it: The only folks who hate passwords more than your users are the ones on your help desk. How many passwords do your users need? Three? Five? And I'll bet you make your users change those passwords every couple of months, as well as forcing them to remember D1ffiCu!t passwords on top of it all.
Despite all that, there isn't a password alive that your users could remember which can't be cracked in seconds.
Passwords are stored as hashes, and a rainbow table provides a fast way to look up any particular hash and get its clear-text version. Torrents are full of pre-generated rainbow tables that can crack a password of up to 10 characters, containing any ASCII character. So all the symbols and numbers your users have to toss into their passwords? Not protecting you one extra bit.
Find Another Factor
One-time passwords, typically generated by an authentication token, are the way to go. In the past, these have been limited to a key fob form factor -- and they were a hassle to use. You had to buy physical tokens from the same company that sold you the back-end integration solution, which got expensive. You issued tokens to users, ensuring the back-end system knew which user had which token. Users created a four- to six-digit PIN to go with their tokens, and that had to be stored as well.
The situation is vastly different today. You'll usually buy your back-end software from one vendor, and you're not stuck buying tokens from the same one. Most tokens and back-end solutions now comply with the Open Authentication (OATH) interoperability standard, which means you can buy from anyone. That's driven prices down to less than $5 per user in some cases. The back-end solution will typically integrate in some fashion with Active Directory, but will also usually provide a RADIUS interface so that nearly anything can authenticate. A client-side agent for Windows computers modifies your usual Ctrl+Alt+Delete screen to provide token-based logins.
And tokens have evolved beyond key fobs. While those are still popular, credit card-sized tokens are also available, and software tokens are available for almost every mobile device out there. Work-at-home users can even get Windows-based software tokens for their home computers, making it easy for them to log into the network and continue working as if they were in the office.
Token management? Also vastly improved. Nowadays users can be issued a token with no advanced enrollment. They simply visit an intranet Web site to register their token, using their old logon credentials, and establish a PIN. This self-service mechanism takes pretty much all of the overhead off of the IT staff.
Many systems also come with Web-based, one-time-password systems designed to accommodate contractors and other casual logon users. You don't need to issue them a token; instead, they utilize pattern-based numeric passwords. Essentially, they memorize a short pattern of blocks in a grid (think of a Bingo card -- your pattern is a "C" shape). You show them a grid with numbers in each square, and they type in the numbers that correspond to their block pattern. The numbers change every time. No password to remember, change, forget, unlock or anything -- and no hardware token either.
But Will They Like It?
The standard industry statistic is that a password reset or account unlock call costs you about $33, and that most help desks spend about one-third of their time handling those calls. With two-factor, token-based authentication, that pretty much goes away. There are no passwords to forget, so they don't need to be reset, and accounts don't need unlocking. You don't need a password reset self-service intranet solution. Help desk costs go down. User disgruntlement goes down.
Companies have stayed away from two-factor authentication in droves, partially because of the perceived costs and high overhead. Many companies hear "two-factor authentication" and immediately think "smart cards," which are indeed more expensive to manage in the long run, and which definitely come with some high overhead in terms of issuing and maintaining them. Hardware tokens, on the other hand, have become cheap -- and they're supplemented by the availability of soft tokens for mobile devices, which in many cases the back-end software vendor can offer you for free.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of PowerShell.org, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.