Among the many cybersecurity lessons we learned in 2017, the vulnerability of plain passwords was a recurring one. Every year, millions of usernames and passwords are stolen and sold in dark web markets, and as a result, many unsuspecting users fall victim to data theft, social engineering scams, identity theft and other cyber attacks. In this regard, 2017 was no different.
But what will probably be different in 2018 are the user authentication methods that will help mitigate password vulnerabilities. Thanks to more convenient and robust two-factor and multi-factor authentication mechanisms, organizations will finally be able to provide their customers and employees better security without causing friction and downgrading the user experience.
The Importance of Two-factor Authentication
According to Verizon’s 2017 Data Breach Investigation Report, 81 percent of data hacking-related breaches are caused by poor password practices. This can happen if users choose a weak password that can be easily guessed or if they accidentally give it up to the wrong person as a result of a phishing scam.
Organizations also contribute to password-related hacks when they store passwords in plain format or with weak encryption.
Two-factor and multifactor authentication (2FA/MFA) add extra layers of security to online accounts to prevent intruders from accessing them in case they obtain the passwords. 2FA/MFA reduce the chances of human error leading to security breaches.
There are several reasons that organizations should be looking for reliable 2FA/MFA in 2018. Several data privacy and security laws are looming on the horizon, most prominent among them the EU’s General Data Protection Regulation (GDPR). The GDPR, which goes into effect in May 2018, will hold organizations to account for the protection of user data, and will impose heavy fines (up to $20 million) on those who fail to comply. 2FA/MFA provides a sturdy line of defense against the wholesale theft of user information.
Meanwhile, the general awareness on data security and privacy will lead customers to setup their accounts where it will be better protected against hackers and scammers. Users are more aware that 2FA/MFA are a must-have for sensitive accounts and will be looking for companies that will be implementing them. Businesses too will look for sound security practices in potential partners, especially if they’ll be storing sensitive information in shared databases.
The Elements of Authentication
To better understand and assess how to protect the online accounts your organization handles, here’s a breakdown of the key methods for authenticating users.
Good old passwords
This is the classic method of verifying user identities, dating back to the Roman military era. Passwords, passcodes and personal identification numbers (PINs) are a fixed number of letters, digits and characters that users have to memorize and present every time they want to log into the system. The main problem with passwords is that anyone who can steal them or guess them can effectively impersonate the user in question and access the sensitive information they store in their online accounts.
Hardware authentication involves the use of physical devices, such as OTP tokens, that generate unique cryptographic codes. Users have to insert the hardware key into their computer or mobile device after they enter their password when logging into their account. Without the hardware key, a potential hacker who has acquired a user’s password won’t be to login. The problem with hardware keys is that they can be stolen or lost, which will lockout users from their account or give the finder access to the account.
Software-based 2FA involves the use of a mobile app or desktop application that generates one-time passwords (OTPs) on specific time intervals or every time a login attempt is made. Users have to enter the OTP in addition to their password when logging into their accounts. Examples include the Google and Microsoft Authenticator apps. Without the associated device and the installed app, a user who has the password to an account won’t be able to login. The problem with software-based OTPs is that they can be stolen, intercepted or replayed by a resourceful hacker.
SMS-based 2FA links a phone number to a specific account. Every time a user tries to log into their account, an OTP is sent to the associated phone number, and the user has to enter the code to access the account. SMS authentication is considered extremely insecure, since it can be intercepted or forwarded to other phone numbers with little effort.
Biometrics involve the use of devices such as finger print scanners, retina scanners, and facial and voice recognition technologies to verify the identity of the user. While biometric authentication was previously an expensive and specialized commodity, advances in smartphone hardware have made it much more accessible to consumers and businesses. The problem with the older versions of biometric authentication was that they could easily be spoofed with still images or videos or replicated with fingerprints taken off objects. The more recent biometric authentication technologies, such as Apple’s Touch ID and Face ID, are more resilient to hacking and spoofing.
What to expect in 2018?
With high-end smartphones becoming increasingly ubiquitous across the consumer and professional landscape, we can expect out-of-band authentication and multi-factor authentication mechanisms to transition from specialized hardware toward mobile devices.
Most mobile devices now have built-in technologies that, combined with the right software solutions, can provide secure and easy-to-use authentication mechanisms.
The use of secure mobile authentication will result provide users with a familiar and intuitive experience, resulting in frictionless user adoption and lower costs of implementing new authentication mechanisms, including in areas such as help desk support and hardware acquisition and updates.
The rise of passwordless authentication
We will eventually see the rise of passwordless authentication, technologies that no longer involve the use of passwords or other persistent secrets. Passwordless authentication provides a nice combination of user experience and security:
- No need for secrets: Users don’t need to remember passwords. Organizations don’t need to store them. There’s also no need to exchange passwords during authentication, which itself a source of vulnerability.
- Better user experience: Authentication takes less time. There’s less strain on users for managing passwords, especially since every user owns dozens of online accounts on average.
An example of passwordless authentication is the Secret Double Octopus authentication solution. Secret Double Octopus uses a zero-knowledge, multi-channel, out-of-band authentication mechanism that is resilient to various types of attacks. Users can access multiple accounts through the Octopus Authenticator app while administrators have a centralized, organization-wide control over the security of their employee accounts in the solution’s server application.
Find out more about the Secret Double Octopus security here.