Username and password are still by far the most commonly used authentication method.
As digitization progresses in companies, the number of accesses and thus also the number of applications and often the number of passwords per employee increases. A study by LogMeIn from 2019 showed that employees in German SMEs have to manage between 30 and 100 passwords.
Because of this large volume, people are often tempted to reuse passwords or use "simple" passwords - this often allows criminals to gain unauthorized access to multiple systems.
With these challenges, a modern password manager can help employees manage the multitude of their passwords while reducing the risks to the company through credential theft.
Since all important user accesses are managed within a password manager, the security of the password manager and the access data saved there has the highest priority.
In second place and no less important, however, is usability, because user acceptance of such a solution can only be guaranteed through simple integration into everyday work. Otherwise, if the usage is too complex, there is a risk that the old solutions, such as simple passwords, reuse and Post-ITs on the screen will be used again.
A password manager can ensure that it is used in many places through simple handling and proactive support for the user.
Browser plugins that recognize registration fields and directly offer to create a secure password for this website can encourage users to create secure passwords and save them directly in the password manager.
The use of biometric authentication methods for the password manager on the device helps the user to be able to quickly access their passwords at any time. For security reasons, the password manager encrypts the data in RAM again at regular intervals after the user has logged in.
The password manager should also have a mobile client so that it can also be used on smartphones and tablets.
Major password manager vendors provide basic security features. The central point of the security concept is that the passwords are available in encrypted form from the provider, while the key is stored locally on the user's end device. This ensures that neither the provider nor possible attackers of the provider can gain access to the passwords stored there in plain text.
How this is actually implemented is slightly different for each password manager provider.
At the same time, this also means that in the event that the user forgets his password, there is no possibility for the provider to recover it. At this point, the manufacturers offer different options. It is important that there are regulations for these emergency mechanisms to ensure that they are set up by the user at all and that they are designed in such a way that attackers cannot gain access to the password manager in this way.
Almost all password manager providers also offer the option of setting up an emergency mechanism for companies to access employee passwords. It is important to check beforehand how this can be implemented in the specific solution chosen in order to be able to gain access to the passwords in an emergency. At the same time, it must be ensured that administrators cannot gain uncontrolled access, but that processes ensure that at least 2 people are always involved in establishing such access. The data protection officer should also be consulted on this topic.
All providers of password managers offer the option of setting minimum technical requirements for the master password - this must be used.
A 2-factor authentication should always be set up for the password manager - the TOTP or hardware token functions should preferably be used here.
In the area of rights and role concepts, there are currently some differences between the major providers. Not every provider offers the possibility to enable complex distribution of rights and roles - this is particularly important when many people in the company use a password manager in very different work environments. This also becomes more and more important as the number of users increases, since in these cases the administration of individual areas is often decentralized and the application should offer the option of assigning graduated administration rights.
Many password managers also offer the ability to set up alerts that send warning messages when specific events occur. In principle, it should be possible and carried out to monitor failed login attempts.
The reporting can be rounded off with regular reports on the security of the passwords stored in the password manager.
Different admin accounts with different authorizations should also be set up for administration, if this is possible. If possible, the basic configuration of password managers should be set up by a superadmin account, which is then not used for regular operation - access should only be possible according to the 4-eyes principle.
This ensures that important features, such as logging, cannot simply be switched off.
Often, some of the functions mentioned above are not fully available in the standard business version, and the purchase of enterprise licenses is required. This should also be taken into account when choosing a provider.
If a password manager is used, some organizational framework conditions must be clarified in addition to the technical measures.
As with any application, the employee should be supported in the form of written instructions and instructions and, if necessary, through training, to use the password manager as intended.
It should also be clearly regulated who needs rights to which safes and who is entitled to release such requests.
Even if it is helpful to use the password manager on several devices, it must be clarified whether an installation on private devices is permissible, because this in turn harbors security risks that must be addressed.
Likewise, in the offboarding process of an employee or in a successful Phishing or Social engineering attack be sure that access rights to the password manager and 2-FA token are revoked.
Also, always remember that employees who have left the password manager can also make a note of their passwords before leaving the password manager and continue to use them. A password manager therefore does not replace 2-factor authentication for critical systems or other security measures.
This also means that the use of accounts by several people should always be avoided.
A password manager can make a very big contribution to helping companies use passwords securely and at the same time making everyday work easier for employees. However, an introduction should be carefully considered and planned so that these goals can also be achieved.
