This awareness and training module concerns passwords plus other credentials and methods of Identification and Authentication (I&A).
Despite their substantial security flaws and practical drawbacks, passwords have long been the primary means of authenticating people to most computer systems, networks, websites and applications. We see little prospect of that changing any time soon. Consequently, we are all required to choose strong passwords and keep them secret - no mean feat as the number of passwords increases and the complexity rules become ever more tortuous.
Multi-factor authentication improves security but complicates matters still further. Federated identities, however, offer the prospect of simplifying things without unduly weakening the control. Although these are tricky concepts to explain in the awareness program, we relish the challenge!
- Gently introduce employees to I&A, including passwords of course;
- Expand on the associated information security risks e.g. falsely identifying foe as friend and vice versa, impersonation, identity theft, phishing and phorgery;
- Describe and promote the corresponding identification and authentication controls, covering technical and non-tech/procedural aspects e.g. the expectation that people will choose long, strong yet memorable and hard-to-guess passwords, and keep them personal/secret;
- Provide a mixture of information and motivational content, stimulating people to think - and most of all act - more securely;
- Inform managers and specialists further about I&A, touching on aspects such as multi-factor authentication, biometrics etc.;
- Motivate everyone to play their part and hence strengthen information security across the board, enhancing the corporate security culture.
To what extent is I&A important to your organization? Which aspects seem most/least relevant? Have there been any recent incidents or challenges relating to I&A (e.g. weak or shared passwords) that make it pertinent? Are there particular awareness messages you want to disseminate?
Passwords (I&A) awareness
Security awareness and training materials about the credentials used for identification and authentication of people - not just passwords but passphrases, multi-factor authentication, biometrics and so forth.