It’s Time to Stop Relying on Passwords to Protect Our Information Online

For years, consumers have had to make do with just a simple username and password standing between their sensitive information and the rest of the internet. While this may have sufficed in the early days of ecommerce, the rampant growth of phishing and other fraudulent activity tells us this is no longer the case.

For businesses everywhere, this change has created important questions about how to protect sensitive information in a cost-effective manner, without compromising on customer usability and convenience.

Mass adoption of mobile is one of the keys to more robust online security 

Mass adoption of mobile devices around the world means organizations can implement more robust, two-factor or multi-factor authentication systems without having to worry about the high cost of providing the devices to consumers themselves.

Under a two-factor authentication system, traditional usernames and passwords remain the first identity verification step, but users are then required to input a second authentication factor to further verify who they are.

Typically, this involves sending a unique code or password to the user’s mobile device, which must be input alongside the user’s credentials in order for access to be granted. Multi-factor authentication systems add a biometric type of factor such as fingerprint, which is used on the iPhone TouchID system.

Mobile-based authentication is gradually becoming the benchmark standard for online businesses, which is great news for consumers and their data. However, it is not without its issues. Mobile devices are not always secure and unfortunately, a growing volume of malware is being specifically programmed to target them, and such malware can allow criminals to scrape verification codes directly from the devices if they are sent over the data network.

Taking it a step further

So what’s the solution? One option is to add a biometric layer to the authentication process, such as fingerprint or facial recognition technology. This could further boost security, with minimal impact to user experience.

As pointed out in a recent Gartner report “Smartphone devices can make use of network-based push notification services that provide a secure out-of-band authentication channel. Authentication servers send notifications via the smartphone OS vendor. These messages are routed to a preregistered device and awaken a local app that can further authenticate the user via contextual information, PIN/password or biometric method. After successful local authentication, the app notifies the requesting authentication service of success, which completes the out of band (OOB) loop.”

High-end smartphones do indeed offer these capabilities, but until they are more widely available, biometric authentication is unlikely to be a viable solution for the majority of consumers. 

Behavior based monitoring will become the ‘new normal’

The rise in demand for multi-factor authentication has accelerated in recent months as businesses wake up to the threat posed by online criminal activity. But just as some are catching up, the most forward-thinking organizations are already looking to take their security practices one step further. One way they are doing this is by implementing solutions that offer adaptive risk authentication and continuous security.

As robust as multi-factor authentication is becoming, it still relies upon a lock and key approach to online security. This means that once someone is through the front door (i.e. they have gained entry to the account), there are usually no other obstacles between them and the sensitive data contained within. Adaptive risk authentication and continuous security approaches take a more progressive, on-going view of online security, meaning that just because someone has gained access to an account, this doesn’t mean they have free rein of the data.

What does this mean in practice? Adaptive risk authentication creates a score of user behavior based on key criteria such as IP address, device ID, number of failed login attempts etc., in order to establish if it is consistent with established ‘normal’ user behavior patterns.

Any deviations result in a higher risk score, which triggers additional security questions, re-authentication, or if necessary, the removal of the token assigned to the online session. Importantly, the algorithms responsible for scoring each session run silently in the background, meaning that the user is only made aware of them if their behavior is deemed to be suspicious. As such, the user experience is not compromised in any way, despite the higher levels of security in place.

Usernames and passwords are not dead just yet. They will continue to have their place online for a while, but what’s increasingly obvious is that in isolation, they are no longer enough to keep sensitive information safe.

Thankfully for consumers, adding advanced security – such as multi-factor authentication, adaptive risk and continuous security – is increasingly becoming table stakes for business today. Inevitably, even the most robust lock-and-key solutions will ultimately give way to more reliable behavior-based monitoring, as the fight to keep sensitive data secure online continues to evolve over time.

What’s Hot on Infosecurity Magazine?