The perennial weak link when it comes to data security, password hygiene has gotten so endemically bad that replacing or augmenting them with new ideas like biometric readers is quickly becoming a mainstream strategy.
Case in point is Verizon Enterprise Solutions, the business arm of the US telco incumbent, which has developed a QR code log-in that allows users to quickly scan a QR code with their smartphone to gain access to a website or application without a user name or password. QR codes are, of course, those square, black-and-white barcode-like graphics that can be found these days on everything from mobile boarding passes to movie posters.
“Lost and stolen passwords remain the number one way that systems are compromised,” said Tracy Hulver, chief identity strategist for Verizon, in a statement. “We continue to see user names and passwords fail as a secure way to log in, no matter how complex the password. With Verizon’s QR code log-in, we are making progress in protecting users without increasing the hassle, headache or expense for the user and the enterprise.”
The evidence isn’t simply anecdotal: According to the Verizon’s own 2014 Data Breach Investigations Report, two out of three data breaches are attributable to lost or stolen user-names and passwords, or both. Hashcat, a freely available password cracker, just released a version that can handle passwords and phrases typically up to 55 characters in length.
New approaches to passwords continue to be developed. For instance, earlier in the year a researcher proposed a geographical authentication approach. Using location maps and mark-up capabilities, users can place a circle around his favorite mountain, or a polygon around his favorite set of trees. No matter how geographical areas are selected, the geographical information that can be derived from these areas (such as longitude, latitude, altitude, areas, perimeters, sides, angels, radius or others) form the geographical password.
In the VES case, the QR code approach is a new feature of Verizon’s Universal Identity Services portfolio, which users can log into directly from a participating web page. After registering, users can download to their smartphone a mobile app that scans a dynamically generated QR code on the log-in page. Once the user’s identity is confirmed, he or she is authenticated to the website.
The QR code log-in can be used alone, as a “scan and go,” approach, or combined with a PIN number or password for transactions that require stronger security.
“The beauty of the QR code is its flexibility,” added Hulver. “It can be used alone or with other stronger measures to give enterprises and their users just the right level of security simply and easily.”
Verizon’s Universal Identity Services provide cloud-based, multi-factor authentication for businesses that need to provide secure user access. It offers three levels of identity strength, from a basic identity to a very strong identity. For example, to access an online account a consumer can use a basic strength identity, but to perform a financial transaction or access sensitive records, a stronger ID can be established that requires the user to provide additional data for identity verification.
As part of the mix, “the QR code log-in is ideal for all types of end-users, including customers, employees and business partners,” the company said. “It also helps to reduce fraud, phishing attacks and can even reduce unnecessary expenses associated with help desk support and password resets.”