In an ancient Arabian fairy tale, the magic phrase “Open Sesame” granted Ali Baba access to a cave of stolen riches. Ali Baba learned the password when he overheard thieves using it. He was able to steal the thieves’ treasures, but his brother forgot the password and became trapped in the cave.
It’s been hundreds of years since that story was written, and passwords are still being used to protect people’s valuables. Nevertheless, people today face the same problems as those fictional characters, namely stolen passwords and poor memories.
The Problems with Passwords
Many digital services call for using stronger, more complicated passwords. However, remembering several of these complex passwords is difficult, so people typically use simpler passwords or use the same one over and over again. These simple and repeated passwords are very ineffective security measures.
This problem is not a small one. Verizon’s 2013 Data Breach Investigations Report stated that 76% of security breaches involved weak or stolen login credentials. To put that number into context, hackers were able to steal millions of passwords in 2014.
Changing passwords after the fact doesn’t offer protection, as data is often stolen weeks before the breach is recognized. According to the 2014 Ponemon Cost of Cyber Crime Study, it takes companies about 45 days to handle the aftereffects of a cyber attack. These attacks have an average cost of $12.7 million.
Improving User Authentication
In light of these problems, IT experts are looking for new ways to enhance the security of a user’s accounts. Some experts even recommend eliminating passwords completely. However, their password-free solutions are extremely hard to implement, and therefore are unlikely to occur in the near future.
The US National Strategy for Trusted Identities in Cyberspace (NSTIC) has a similar problem. This plan calls for the creation of one centralized, government-run system that manages user information for a wide array of services. However, the plan lacks widespread support, which is unsurprising given the recent revelations about the NSA. Similar proposals in other countries would likely be just as unpopular.
The government is not the only one working on a solution to the problem of account security. An industry consortium is also developing a new approach. This consortium, which is called the Fast Identity Online (FIDO) Alliance, has a number of major IT companies on its list of members, including Google, PayPal, and Microsoft.
The consortium has developed two new proposals for user authentication, Passwordless UX and Second Factor UX. Both proposals are built upon the concept of multi-factor authentication, an authentication scheme that involves the use of multiple forms of identification.
Passwordless UX calls for getting rid of passwords entirely. Instead, people would use biometric indicators as the means for proving their identities. These indicators might include fingerprints, retina scans, voice analysis, and even the electrical activity of a person’s heart.
Second Factor UX would require the use of a USB dongle, in addition to username and password. After logging in using the username and password, the user would be prompted to insert their authentication dongle into the USB port of the computer. The addition of the authentication dongle to the traditional username and password substantially increases the effort required to compromise an account, and strongly resists common phishing attacks.
The consortium’s plans are relatively new, having only been announced in December 2014. However, the support of several key players in the IT industry makes them a promising alternative to contemporary means of user authentication.
How to Protect Accounts in the Present
While the FIDO Alliance’s industry-wide effort is still in the early stages, there are plenty of other ways to incorporate multi-factor authentication into a company’s IT strategy. This method is highly recommended by the majority of IT experts, and it can significantly boost the security of a company’s accounts.
Companies should also promote the use of stronger passwords. Users should stop using obvious passwords and should not use the same password with multiple accounts. Since most people have trouble remembering their passwords, many experts recommend using a password manager.
This tool can keep track of your passwords in one vault. Users can access the vault with a password, and from there, they can access any of their other accounts. People with password managers only have to keep track of one password, but don’t have to suffer the risks involved in using the same password for multiple accounts.
Multi-factor authentication, password managers, and better password protection protocols are currently the best means for a company to improve the security of their accounts. As such, they should be strongly considered by all businesses, no matter how large or small they may be.