Moving beyond passwords and 2FA

passwords
(Image credit: Shutterstock / vladwel)

Since the beginning of IT the humble combination of a username and password have secured our access to information. In today’s digital world this model is still the norm for both consumers and employees logging in to websites, applications, VPNs and cloud services. But it’s time for an urgent rethink because the model is broken.

Contrary to popular belief, the problem isn’t really about hackers brute force attacks to crack passwords, although this does happen. The real issue is the number and frequency of data breaches where user credentials are leaked and then made available for sale on the dark web. In fact, according to Verizon’s latest breach report, 80% of hacks today aren’t really hacks but bad actors simply logging in with valid user credentials they’ve obtained elsewhere.

It doesn’t matter how well we secure the pipes with strong encryption or how effective a Security Operations Centre (SOC) is, if someone can easily obtain credentials and log-in ‘legitimately’ our best efforts have gone to waste. Passwords are also the root cause of a terrible and stressful user experience, which might go some way to explaining why younger generations appear to have given up on applying them properly.

About the author

Ben Todd is Head of Worldwide Sales at Nomidio 

Password habits are getting worse, not better

You might imagine that digital natives, those younger generations born into a connected world, are more able to protect themselves online. Unfortunately, new research we commissioned confirms that younger generations have significantly riskier password habits than their parents, with 24% of those aged between 24 and 38 (Millennials) using the same password for all their accounts, compared to just 2% of baby boomers.

With 14% of younger generations reporting they have never changed their password it’s easy to see how the bad guys can use credentials stolen from one place to log-in somewhere else. Perhaps worse still it is now common for young people (62%) to voluntarily share credentials for services like Netflix with friends and family, perhaps sending them using unencrypted email or messaging accounts.

The purpose of this research isn’t to bash the young but rather to highlight that the way we ask people to authenticate today is too cumbersome for users and is in fact the root cause of the booming identity theft industry. It is telling that analysts from Gartner said in a recent report “Data breaches of personally identifiable information (PII) are rendering checking of static identity data (usernames and passwords) obsolete”.

2FA to the rescue?

The logical response over the last few years has been to layer additional ‘factors’ on top of the password. By asking people to validate their identity based on ‘something they have’, by entering a one-time passcode sent to their mobile phone or email, we can make life much harder for hackers.

Two-factor authentication or ‘2FA’ has grown in popularity and is now an integral aspect of the Strong Customer Authentication requirements for e-Commerce payments. The majority of large companies also ask employees to use 2FA when logging-in.

Unfortunately this makes a poor experience even worse as it really doesn’t make sense for someone’s identity to be tied to their device. What happens if you’re trying to log in to a work application to make a deadline while you’re out on the road and your phone runs out of battery? Or you use an authenticator app and then you lose your phone? Perhaps this is why only 25% of respondents to our survey said they regularly enable 2FA when it’s an option.

There are also question marks about how much longer 2FA will hamper the bad guys with a number of recent phishing attacks evolving to trick users into voluntarily disabling their 2FA protection. The problems with identity require root and branch reform, 2FA is a nice try but we need to be far more ambitious.

Is Multi-Factor biometrics the answer?

A multi-factor authentication approach based on biometrics has the potential to deliver a step-change in security and the user’s experience. In a world where employees are logging on across public networks, from anywhere, we can no longer offer them a ‘perimeter’. Instead we must invest in modern authentication that helps users to securely and easily access services whenever and wherever they want.

Rather than asking users to remember a password we store their biometric identifiers, a voice and face print, so we can authenticate against those across any device they’re logging in from. We combine the biometric check with additional ‘silent’ factors that increase security still further. So from a user’s perspective all they need to do is present their face and they’re in.   

With underlying protocols like OpenID Connect, website, application or cloud service providers can easily allow an identity provider to add biometric authentication on top of their systems. For the user this makes their biometric identity widely interoperable and behind the scenes it works in exactly the same way as logging-in with Facebook or Google.

With a well-engineered biometric authentication service we can also decouple someone’s identity from their device. We often describe this as ‘the Netflix effect’, because the biometric checking happens in the cloud rather than locally on a device a user can move between their laptop, phone or a third-party device and still log-on using their face. 

People have understood biometrics hold the answer to more secure authentication for a number of years but it’s been hard for all but the largest companies to deploy the technology. But the economics and complexity are improving and we believe we’re a great example.

If we’re serious about tackling identity theft and data breaches then we must transition away from usernames and passwords because they’re the reason that people need to store their personally identifiable information with lots of organisations. It’s that personal information that’s lost and which is then used to perpetrate more hacks.

Ben Todd, RVP EMEA Security Sales at Dynatrace.