How confident are you that passwords are enough to protect your data as a consumer? Michael Nadeau, senior editor at CSO magazine, believes the best thing you can say about using a password for authentication is that it’s better than nothing. High-profile breaches like Equifax, however, have exposed millions of passwords and user IDs, calling into question even that faint praise. Consumers should assume that at least some of their passwords have been compromised. Otherwise, they create a dangerous false sense of security.
If you’re still not convinced about the seriousness of password vulnerabilities, consider these points from the Verizon Data Breach Investigations Report:
- Hacking still accounts for the largest percentage of data breaches.
- Eighty-one percent of hacking-related breaches involved either stolen or weak passwords.
Password-only protection is permanently broken, and any organization relying on it is placing its business and reputation at risk. Even if they avoid a breach, awareness of the shortcomings of password protection is much higher now thanks to Equifax. If that’s how you protect customers’ data, they will think twice about trusting you with it.
Alternatives like two-factor authentication (2FA), multifactor authentication (MFA), behavioral analytics, and biometrics have been available for some time, but adoption rates are low. The growing threat of breaches and consumer awareness is lowering barriers to implementing these options — primary barriers being user resistance, complexity and ROI.
All these alternatives can be compromised, some more easily than others. Dustin Heywood, senior managing consultant for IBM’s X-Force Red security testing team, shared that all authentication (such as a fingerprint, a face, an iris scan) are broken down into bits and bytes, and they are basically a “shared secret.” Because these shared secrets are stored digitally like a password, it is theoretically possible to steal them. The difference is that it’s harder to do so.
The goal is to make it so difficult to gain access that most cybercriminals will look elsewhere for easier pickings. Many companies use a combination of authentication methods depending on the risk, user considerations and value of the data being protected to reach a reasonable expectation of security.
While consumers might be more accepting of more complex authentication to protect health and financial data due to recent high-profile breaches, not all service providers offer the option. “A lot of banks, because of work that was done quite some time ago, think that having security questions tied to an account is a second factor, which it really isn’t,” says independent security researcher Jessy Irwin. “People want an extra layer of protection, and don’t have the option to turn anything on. They have to go to customer service or an account representative or up a chain to even ask for these features.”
Robert Block, senior vice president at intelligence-based authentication provider SecureAuth, thinks the challenge of implementing stronger authentication is not with the technology. It is about getting decision makers to determine the level of acceptable risk, the number of factors to support and the way to present those factors to the end user.
Whether it is a smartphone or something else, requiring ownership of a device for access limits the damage a cybercriminal can do. Harry Sverdlove, co-founder/CTO of Edgewise Networks, believes the most reliable scheme would require something users know (password, answers to security questions), something they have (smartphone, token device), their location, and something they are (biometrics, behavioral analytics).
If you want your data as a consumer to be better protected, companies need to think beyond passwords. Creating more obstacles for a cybercriminal makes it more likely this individual will move on to another target.
Ryan Lahti is the managing principal of OrgLeader and author of The Finesse Factor: How to Build Exceptional Leaders in STEM Organizations being published in early 2019. Stay up to date on Ryan’s STEM organization tweets here: @ryanlahti
(Photo: Password, Pixabay)