Dean WiechOne thing that is true in every industry, but definitely a major issue for manufacturers, is the need for employees to remember multiple sets of credentials to login to applications during their work day. They need one set to access their computer, another to access the ERP system, possibly another for email and so forth. For managers that need access to other applications, such as time and attendance, HR or financial systems, the problem becomes even more complicated.
A recent NIST survey uncovered that the average person has nine work-related sets of credentials — five that are frequently utilized and four that are only needed occasionally. When password complexity, history and frequency of changes are factored in, the time spent by an employee managing passwords can be substantial, not to mention what happens when a password is forgotten and needs to be reset. The survey also showed that users are becoming overwhelmed with passwords because of different to different requirements between systems, especially when frequent changes are required, and frustrated because of forgotten passwords.
So how do most employees deal with password fatigue? Simple — they write them down. Sometimes they are in plain sight, such as emblazoned on a sticky note on the monitor or under their computer keyboard. Other times they are on a piece of paper in their wallet or purse or is on a note inside their phone. Regardless of the method, the writing down of a user name password introduces a security risk that does not need to exist.
The solution to increasing employee satisfaction while balancing security needs can put the technology department in a difficult position. On one hand, they want to minimize employee inconvenience related to remembering numerous sets of credentials, while maintaining security associated with complex passwords and eliminating passwords being written down.
Fortunately, there are many commercially available software solutions to solve both of these issues. Many organizations start out with something as simple as password synchronization. When a user changes their network password, it is synchronized across the numerous systems. While this solution can work and is appealing from the standpoint that an end user now only has one password to remember, there are some potential pitfalls. The first potential issue that can arise is usernames. The network may have j.doe while ERP has JohnDoe and HR may have John_Doe. The second potential issue deals with password complexity and history rules. One system may need eight characters while another needs 10; one system may accept special characters while another cannot; one system may need a change every 60 days while another needs a change every 90 days. These issues can be resolved by using translation tables for user names and password complexity rules that address the least common denominator, it is not always a simple, error-free configuration. It also requires intervention to identity all the username differentials between the systems in an organization.
Another possibility to resolve the password issue is a single sign-on (SSO) application. SSO allows end users the ability to login into a secure portal or use their network authentication to access systems and all apps required of their position and once the single credential is verified all are opened and presented on their device or computer. The first time a user launches an app, he or she provides their proper credentials. Going forward, their credentials are remembered and provided automatically. No further need to remember each individual user name and password for all systems used in the course of a day.
This can even be taken several steps further from a security perspective. The credentials can be pre-loaded into their SSO profile so the user never even realizes there are different credentials for each app. However, if they were to attempt access from outside the portal, access would be denied. Also, an administrator could inactivate a user’s SSO profile, thereby, immediately removing access to all applications. The SSO portal can also be locked down, by user and application, to specific device types, time of day, IP range and internal or external network connections. It is also possible to add two-factor (2FA) authentication to the portal or sensitive applications, requiring the use of a PIN or biometrics, smart cards, etc. for access. The referenced NIST study showed a significant reduction in frustration and password fatigue when a smart card was used as a replacement to passwords for the majority of users.
Now that you have taken the necessary steps to reduce your users’ passwords from nine or more down to one, inevitably it will still, on occasion, be forgotten and need to be reset. In fact, nearly 40 percent of all calls to the helpdesk are password related and consume a tremendous of amount of time and productivity.
Fortunately, there are many commercially available solutions for this problem, as well. Applications that allow users to reset their network password from the Windows login screen or a web portal on kiosk computer are relatively inexpensive and easy to deploy. The user simply answers challenge questions provided during an enrollment phase and can reset their password immediately. This is especially useful for people working on shifts when the helpdesk may not be open. If utilizing a password synch model, this new password is immediately set in all connected applications. If using an SSO model, the user can now regain access to the network and the portal.
Password frustration and fatigue are a real issue and are only getting worse. As mentioned the average person has nine sets of credentials for work and at least that many for personal applications. Trying to remember them all is rapidly getting beyond human cognition and people resort to non-secure methods — using a single, simple password across multiple websites and applications or writing them down and hoping they are found under the keyboard.
Dean Wiech is the Managing Director of Tools4ever.