At the NCSC we hear about huge numbers of new technologies that are coming along to make end users’ lives better, and on paper many of them seem like great solutions to problems we face today. However, when it comes to deploying these technologies at scale we sometimes come across issues we didn’t anticipate when we tried them out in our labs.
Compounding this, when new technologies come onto the market there can be some scepticism about how well they meet user needs, there can be concerns around meeting compliance requirements that haven’t yet accounted for the changes, and sometimes these new technologies come with increased costs. There can also be a lack of awareness that these technologies even exist.
Combined, this means that technology adoption can often be slow. As a researcher this is frustrating; we see these technologies where there can be huge usability and security benefits if they were widely adopted, but yet they aren’t. So in recent years we’ve spent more time working on solving this adoption problem, and the Secure by Default Partnership Programme has been one of the ways we’ve been doing this.
In the Partnership Programme, we set a number of challenges for organisations to complete and then tell the rest of the world how they went. In return, they get direct access to techies at the NCSC, some money to help with purchasing any required equipment or software, access to some of NCSC’s policy experts, and access to some useful points of contact that the NCSC have built up over the years. It’s a competitive programme, and applicants have to convince us that they are proactive and enthusiastic enough to be successful in overcoming the challenges they will face in taking part.
This year’s Partnership Programme challenged participants to find as many ways as possible to reduce their reliance on passwords. For each of the three participants, we visited them and spoke at length about how their users authenticate to systems on a regular basis, and which interactions were good candidates for ‘upgrading’. For each, we set ten challenges to achieve within 7 short months, and to present on them at CYBERUK 2018. Even achieving half of the set challenges would be a huge improvement, but we wanted to capture what didn’t work so well too.
If you made it to CYBERUK, hopefully you were able to come to the session and hear the stories of Chesterfield Borough Council, Ofqual, and Renfrewshire Council directly from them at the time, but either way you can find their case studies written up in the case studies section of our website.
Renfrewshire have some great examples of how bad authentication can make users lives miserable, and some of the ways they’ve improved that – including not forcing users to enter their full domain credentials on the printer’s tiny touch screen every time they want to print. Chesterfield have some interesting stories of trying to make policy changes despite constant push-back from other areas of the business, and Ofqual tried a variety of different ideas out to replace passwords in their infrastructure – have a read and see if you could implement any of these ideas in your own organisations.
As always, we’re more than happy to listen to feedback on any of our publications. If you have any questions or comments about these case studies, let us know in the comments section below.
EUD Security Research Lead
Source: National Cyber Security Centre