A Berlin-based security researcher recently discovered a vulnerability in a server database belonging to Voxox that exposed tens of millions of copies of personally identifying information including SMS messages, password reset links, two-factor authentication codes and more. The discovery of the breach had many in the security community wondering why are we still using traditional passwords and SMS as our main source of security when the SMS component of two-factor authentication (2FA) wasn't designed for security at all.
To better understand why traditional passwords aren't effective at protecting users from cyberattacks, Tech Radar Pro spoke with Averon's CEO Wendell Brown.
Why are traditional passwords no longer a viable means of securing our online accounts?
Traditional passwords offer little protection against cyberattacks. According to Ponemon Institute (opens in new tab), the number of hacks in 2017 increased by an average of 27 percent when compared to the previous year. More specifically, the Verizon Data Breach Investigations Report (opens in new tab) found that 81 percent of network breaches leveraged weak credentials showcasing that the security of our accounts can no longer rely on the strength of familiar character combinations chosen for user-generated passwords. Introducing viable alternatives to traditional passwords not only enables companies to combat security vulnerabilities but also bolsters consumer confidence in enterprise efforts to safeguard user privacy.
What makes two-factor authentication vulnerable to hackers?
With the increasing trend of breaches and hacks, encryption and other authentication layers have become the first line of defense in protecting passwords and securing online accounts. However, the SMS messaging backbone of two-factor authentication wasn’t designed for security – it was designed to move text messages. Authentication codes are sent from a network to a phone, giving hackers the opportunity to intercept the message and hijack a user’s account. Simply, it can’t be secured, and has been, and will continue to be, hacked. Consequently, it is imperative for companies to invest in security strategies that provide simple ways for users to prove who they are, while also reducing the risk of a breach.
Are there any ways that online businesses and services can better encourage consumers to use unique passwords with each of their accounts?
Account creation and logins on mobile devices have become sources of terrible frustration for users and cause staggering numbers of incomplete account setups, lost engagement opportunities and abandoned transactions for businesses. Ultimately, encouraging consumers to remember countless unique passwords with each of their accounts across a myriad of websites is not a practical solution or responsible practice.
What is your opinion on password managers and how effective are they at protecting user passwords?
Password managers can be effective, but they have also served as the source of security failure for some of the most highly-regarded platforms. At the end of the day, regardless of the platform you choose, you’re placing all your password eggs in one susceptible security basket. Increasing the complexity of passwords, like including upper and lowercase letters, numbers or symbols, is no longer enough to protect user passwords. Consumers and businesses must consider new solutions to securely eliminate logins.
Google recently revealed that it is using security keys to protect its employees from phishing. Do you think these devices will catch on with average users? If not, why?
Working in conjunction with password managers, security keys can be a powerful tool used to better secure an online account. However, the average user desires simplicity. USB security keys add yet another step of friction for consumers when trying to access their accounts. While additional steps can ensure greater security, they’ve proven discouraging for consumers.
Are there any new technologies or security practices that could take the place of 2FA?
Averon recently released MagicLogin, a solution that enables consumers to create new accounts, login to existing accounts, and securely link data by auto-detecting their verified mobile phone number as the unique account identifier, all while keeping their personal information private. It is a giant leap forward in realizing a greater vision of a secure global standard for digital identity. By bonding an identity to a mobile phone, MagicLogin establishes the phone as a proxy for digital identity. This opens pathways of further innovation — since app and website developers will no longer need to waste energy on creating homegrown, inefficient login systems, they can instead focus on delivering premier customer experiences.
What advice would you give to businesses and consumers trying to improve their security online?
After a year that saw the largest-ever breach of Facebook data, Google+ vulnerabilities and Starwood Hotels reservation systems, consumers and enterprises can only expect to the see the number of hacks and data breaches increase exponentially in the coming year. Because of this, consumers increasingly hold companies accountable for protecting user data and businesses must recognize their responsibility to ensuring consumer privacy. To effectively protect consumer information, businesses must invest in modernizing their cybersecurity standards to evolve away from status quo methods like two-factor authentication and password management that have proven defenseless against prying eyes and malicious activity.
Wendell Brown, CEO of Averon (opens in new tab)
- We've also highlighted the best free password managers