Credential Sharing and Passwordless

Last time I wrote about the advantages of a passwordless environment and how opting into passwordless authentication would benefit your cyber security and I promised today to look at one more benefit of the passwordless access – credential sharing.

Credential Sharing

What do I mean by credential sharing? The practice some organisations have of using one set of credentials for multiple users to access  services or the sharing of credentials when users are on leave or sick or even at lunch! This may not be something big organisations have a problem with, as it is easy to issue credentials if you have a full-time IT team, but I have come across this with many of our smaller clients – it is an easy solution for a recurring issue for smaller teams. I saw it when the credentials for the managing director’s assistant were given to a holiday temp, because it was easier than calling us to set up a new user for two weeks. That temp then not only had access to the resources they needed for their job but also to many resources the company normally only shares with the most trusted of its employees. Fortunately one of our team was visiting the site and realised what was happening so reduced the account’s access drastically before any harm was done.

Accountability

If you are unaware of how Authentication, Authorisation and Accountability impact your cyber security, then you should take five minutes to read this article to get up to speed.

How did we know no harm was done in the above example? We checked – a dive into the logs knowing where the sensitive information is stored meant we could reassure our client that their error had not exposed their secrets.

And that is why credential sharing weakens your cyber security – it removes the accountability from the equation. If two people have access to the same user name and password then in an investigation there will be doubt as to which one of them actually accessed the system at that time.

Token based passwordless systems remove the option of sharing – as who would share their mobile phone?

But I really need to share one login

OK, in the real world of a small organisation there are times when the only practical solution is sharing a set of credentials between multiple users, so what can be done?

• Ensure that all the users have the same security rating. If this is not possible as in the example above, then reduce the access whilst the least trusted role uses the account.
• Create a shared account that has only the access relating to the least trusted role – the senior can then have two logins.
• Enable MFA on the shared accounts so all the users are alerted when anyone uses the account – it is polite for the user about to use the account to text the others to let them know they are about to use it.

Remember that credential sharing can contribute to the “insider threat”, so manage with care.

Next time

I think I still have more to say about passwords – especially after reading an article by Bruce Schneier this morning…

Clive Catton MSc (Cyber Security) – by-line and other articles

Further Reading

Be careful of security theatre and user security fatigue – Smart Thinking Solutions

Something better than a password – Passwordless Authentication

Why you should care about the TLA AAA!