If 2FA isn't available, what's your thoughts on password managers?
It's an interesting question. In the midst of the threat landscape that is always shifting and requiring us to change passwords on what seems to be a far too reoccurring basis... are password managers the answer?
Well lets take a step back and consider what we are trying to solve for. We have places that don't support multifactor authentication (yet), and we need to use passwords. How do we manage all of them? Store them in an app on our phone? Write them down and keep them in our wallet? Keep them in excel spreadsheets? Use server based software to store them?
We are going to need passwords for some time to come. So what DO we do?
First off, try not to use a password to begin with. At least, not on the cloud app if we can. There are many SaaS based applications that now can support single sign-on (SSO) with federation protocols like SAML and WS-Federation. This allow you to remove the risk of password storage on the web app, and brings it back to your business infrastructure where you have better control. If you are reading this, chances are your company uses AuthAnvil, which is DESIGNED to handle SSO for you in this regard. And because it already INCLUDES two-factor authentication (2FA), it means that indirectly, you are getting the benefit of 2FA without the risks of passwords on the end site.... even if they don't support it directly.
But what if 2FA and SSO are not available? Then consider using a password management system that does. Storing passwords in software that itself is not strongly protected is just plain risky. With AuthAnvil, we protect our password management solution with both SSO and 2FA. So you can choose how best to safeguard your passwords.
Then there is the management of the passwords themselves. Don't select a password manager which is really nothing more than a storage system. Select a solution that actively reviews and audits access, and can actually go out and automatically CHANGE the password for you when needed. Just today I was chatting with a customer who was so happy he could immediately expire his eBay password and have it changed immediately without his intervention past clicking "Generate" within the AuthAnvil Password Server. Then I told him about the auto-expiration option... which blew his mind. He didn't realize AuthAnvil can actually be configured to automatically go out and change the password on expiration, and that you can set the expiration to as little as 1 day... which means AuthAnvil could be changing those web passwords for you every single day with an extremely complex value, reducing your window of exposure for passwords. And then you can use it with AuthAnvil Single Sign On that will inject the credentials for you so you don't even have to enter the information. Its SSO without the fuss to sites that don't have strong login security.
So to @JRHand1112 I would say.... yes password managers may be the next target. So make sure you select one that includes enhanced security options to help safeguard your credentials that DO support 2FA. And make sure you select a solution that can help you manage all these passwords that are needing to be changed quickly. Hopefully in a way to work WITH SSO and automated password changing. Don't have a solution yet? Then grab our ebook on how to select a great password management solution. Hopefully you will see why AuthAnvil might be a great solution for you.