Last September, Google’s manager of information security Heather Adkins made a statement during a panel discussion that made headlines around the world: “Passwords are dead.”
For most people, passwords are a fact of daily life. Almost everything we do online, from accessing email to reading the news, requires us to enter a username and password. For the most part, requiring users to enter a specific password does an admirable job of keeping accounts and data safe.
However, when things go wrong, they go spectacularly wrong. Recently, a number of high profile security breaches have exposed of millions of username and password combinations to cybercriminals, who then stole money and information, gained access to corporate networks and generally wreaked havoc. In the wake of these breaches, consumers were directed to change their passwords and monitor their accounts for any suspicious activity.This is usually a solution— at least until the next breach occurs.
Understanding the Problem
We’ve all seen the reports about password management. Despite the warnings, many people fail to properly secure their accounts, though. For example:
• Most people use just a few passwords.It’s too difficult to remember multiple passwords. But often, when one password is stolen, a hacker could gain access to additional accounts using those credentials.
• Many passwords aren’t strong enough. Let’s face it: It’s easier to remember your child’s birthday or your wedding anniversary than “Xi89PL!” Despite warnings, many users continue to use easily guessed combinations of letters and/or numbers, or dictionary words, for their passwords. Hackers are becoming more sophisticated every day, making these passwords a snap to steal.
• Not all users lock their accounts. Do you save your passwords to make it easier to log in? It’s convenient, but it’s also risky.
• Servers aren’t always secure. You might be doing everything right when it comes to password creation and management, but if the server that stores your password isn’t completely secure, it won’t matter. As the recent Heartbleed bug revealed, there’s always potential for a security vulnerability that will expose your data without you even realizing it.
Given that there are so many risks associated with passwords, what is the solution? According to experts, there are a number of ways to effectively secure and protect data, including multi-factor authentication.
2FA, Active Authentication and Biometrics
By now, most people are familiar with the concept of two factor (or multifactor) authentication. In order to gain access, one must provide a combination of something they know, something they have and something they are. By requiring an additional token, one-time use code or individual feature, like a fingerprint, it’s all but impossible for a cybercriminal to gain access to an account with nothing more than a stolen password.
Multi-factor authentication is one of the easiest ways to increase security (and it’s already in use by some of the most popular websites online, including Google, Facebook and Twitter.) However, additional forms of security are also in the works to better protect individual devices.
For example, touchscreen technology and biometrics require a physical match in order to grant access. Biometrics relies on your unique fingerprint or iris patterns; a fingerprint scanner will take an image of your finger and attempt to match the unique markers of your print to a “template” stored in the database of authorized users.
Touch screen technology may use biometrics, but some devices rely on “swipe” technology. The user can set the device to unlock only when the correct swipe pattern is entered. You might have to touch a series of points on a photograph, for instance, or correctly recreate a particular pattern using your finger. Some critics of this technology note that it is possible for a sophisticated criminal to determine the swipe pattern by following the pattern that your finger oils leave behind over time. However, for many users, such technology is effective when used with passwords.
Finally, another type of security that is still in development is active authentication. This advanced security technology relies on cognitive signals to determine whether the user is authorized or not: By gauging how fast one reads a page, or the speed or pressure on the keyboard, the device will be able to tell when a user isn’t authorized — and will lock down accordingly. We are still years away from this type of technology becoming widespread, but some predict that it will revolutionize the IT security landscape.
Until your smartphone can determine whether it’s really you or not based on how fast you read your Facebook feed, it’s important to employ other security measures. Follow password best practices, realizing that they may not fully protect you, and consider using a multi-factor authentication solution when available. You’ll keep your data safe and out of the hands of nefarious criminals.