Pick a number, any number, or any combination of numbers, letters and special characters, just not 12345678, password, or admin. Most of us have multiple passwords that we need to remember just to get through an average day; many of those passwords have already been guessed or are for sale on the black market.
The way we’ve been managing passwords just isn’t working, and the United States National Institute of Standards and Technology (NIST) has made some recommendations for best practices for user password management to try to address the situation.
The new recommendations include removing periodic password change requirements, which many people currently address by creating a rotating set of passwords so they can keep track of them all. Requiring all passwords have multiple cases, numbers, and symbols is also going by the wayside, as most people chose ever-simpler passwords to try to minimize their own confusion.
NIST also recommends requiring the screening of new passwords against lists of commonly used or compromised passwords, an easy task everyone can perform via search engine.
To strengthen security, though, most applications require more than passwords. Just logging into a news website requires both a username and password. For more secure sites, a username, password, and additional identifying code is required.
With the ever-increasing activities on our mobile devices, multi-factor authentication – which is becoming mandated by regulations across industries – takes authentication a step further.
Multi-factor authentication is a combination of something you know, something you have, and something you are. Something you know – username, password, identifying code – is “easy.” Something you have is usually a token or an SMS sent to your mobile device, by which you can receive one-time usage codes. Something you are may require additional hardware, such as a fingerprint reader, or leverage existing hardware, like the camera or touchscreen.
The complexity of authentication is becoming such a hassle that many people give up before they get to the point of performing a transaction. Not only that, but most authentication delivers only a one-time authentication, which means an app can be hijacked immediately after log-in by malware that lie in wait, leading to fraud or data theft.
Passwords and one-time multi-factor authentication ultimately aren’t going to cut it – they can all be hacked and hijacked. They also are massively cumbersome and interfere with the user experience.
A solution does exist: behavioral biometrics. While behavioral biometrics is a subset of “what you are” in multi-factor authentication, it adds an additional layer of security because it ensures continuous authentication from initial login to the final transaction.
Behavioral biometrics works behind the scenes, analyzing exactly how you interact with your devices, such as the pressure of your finger on the screen, how quickly you type, the angle at which you hold the phone, and many other parameters that leverage the existing technology on your phone. The combination of these behaviors is used to provide a trust score, allowing the transaction “owner” to automatically assign the level of transactions you can perform during that specific interaction. If the trust score is low, it’s probably not you initiating the transaction.
If the score is high, then you’ll be eligible for the full rights and privileges you have earned as a customer, because the “owner” reduced their own risk by knowing it’s you.
Meanwhile, the consumer has no idea that it’s going on behind the scenes, so the app provider doesn’t need to educate or bother the customer about how to interact with new security requireme6nts nor do they need their customers to sign up for anything.
Behavioral biometrics activities cannot be hacked or duplicated, as no one can imitate exactly how another person uses their phone. As an additional benefit, automated bots are even easier to detect and stop because they have no characteristics that identify them as a human. Behavioral biometrics eliminates the need to register individual users on a shared device, as each profile can be linked to a specific user simply based on their physical interaction with the devices.
In certain circumstances and locations passwords might still be part and parcel of the experience, but as we increase our interactions with mobile devices and IoT grows to where we all have smart cars and appliances, those devices, too, will recognize us by our touch not our username, password, and additional security codes.