Another day, another data breach… We’re 121 days into 2019 and 27 mass data breaches have already come to light according to breach tracking website Have I Been Pwned. And those are just the big ones. Data from Statista shows that 1.24 million breaches occurred in the United States alone in 2018.
This compromised data usually ends up on the dark web, where it is sold on to cybercriminals who use these login details to carry out credential stuffing attacks in an attempt to gain access to unsecured user accounts.
We’ve all heard the advice – don’t use the same password for two services; don’t use simple or frequently used passwords; use special characters and numbers. Yet, according to the National Cyber Security Centre, this advice continues to fall on deaf ears – 3.6 million people use “password” as a password, while 23.2 million opt for “123456”.
“It’s clear that passwords alone are no longer enough, which is why there is an increasing need to evolve the intelligence, strength and complexity of the systems that work alongside passwords,” said Mark Crichton, Senior Director of Security Product Management for OneSpan.
Even the most complex of passwords aren’t protected against poor company cybersecurity, says Vince Warrington, CEO of Protective Intelligence: “Although long, complex passwords might take longer for a hacker to crack, the fact remains that passwords, no matter how elaborate, are increasingly being stolen in large cyberattacks,”
“The IT and security industries are well aware that better forms of authentication are needed to protect our data in an increasingly hazardous online world, and many are working tirelessly to create a variety of new solutions to make identity authentication a harder process for cybercriminals to infiltrate.”
Alternatives to traditional password authentication
“Eventually, passwords will become obsolete, and new authentication techniques leveraging social logins, single-sign-on, and biometrics will start gaining more traction,” Nabil Hannan, Managing Principal for Synopsys, believes.
It is generally accepted that text passwords alone are no longer a viable way to secure online accounts, as highlighted by the increasingly large data dumps of user credentials finding their way onto the dark web.
Yet, for all of the problems that come with passwords, finding a solution that improved security without impacting the user experience is proving a challenge.
“No perfect solution exists today,” Javvad Malik, security advocate for AT&T Cybersecurity. “It comes down to a balance act between making a service available, and risking controls that are too prohibitive that they impact the user experience.”
So what security solutions are currently being worked on that could improve security without disrupting the user experience?
Biometrics are becoming more widely used as a form of protection in the smartphone market, with consumers now able to unlock their devices using fingerprints and facial recognition technology. Iris scanners and voice recognition technology is also starting to make an impact.
While biometrics are often tipped as the future of passwords, experts are quick to note one major flaw – just like passwords, biometric data can be stolen too.
“Passwords have one simple advance on biometrics,” Jake Moore, a cybersecurity specialist for ESET, told Verdict. “If your password ever gets compromised, there are an infinite number of replacements available. However, once your biometrics are compromised, there are only another nine fingerprints to choose from.”
However, biometric verification doesn’t have to rely on your physical appearance alone, Melanie Jones, Product Director for Cybersecurity at Global Knowledge, explains. As well as physical characteristics, behaviour characteristics “such as the rhythm of typing or our voice” can also be used to provide a line of defence against hackers.
Yet, despite the potential of biometrics, some feel that past failures to adequately protect user data could stand in the way of enterprises turning to biometrics.
“Biometrics has clear use cases on a personal level for users to securely access given services or information,” Karl Lankford, Lead Solutions Architect for BeyondTrust told Verdict. “Though large organisations may struggle to implement such measures as more and more people become concerned about their privacy and the rights they have with their data.”
A recent study by commissioned by software company Nuance, which quizzed 1,000 adults in the UK, suggests otherwise – some 64% say that they are comfortable using the technology, with 35% already relying on some form of biometrics technology.
A big part of the password problem is the difficulty that enterprises face in protecting data.
A recent study found that over half of European companies have been targeted by cybercriminals in the past two years, while one cybersecurity expert told Verdict that “it’s likely that every living human on the face of Earth has been hacked”.
Rather than improving the password habits of users, age verification platform AVSecure feels that it is enterprises that need to take more action to secure login credentials, and it proposes blockchain technology as a potential way to do so.
“Password protection, which all too often relies on memorable – and therefore easily guessable or hackable – words and phrases, offers only a basic level of security that falls woefully short of what is necessary when it comes to safeguarding highly sensitive data against malicious intent,” Stuart Lawley, CEO of AVSecure, told Verdict.
“With that in mind, it’s time instead to move towards more cryptographically assured methods of security – one of which is private blockchain technology.”
By leveraging private blockchain technology, the user’s browser becomes the central point for storing login information rather than the service provider’s servers. This means, in the case of a data breach, the user’s private account information will remain secure.
A multi-layered approach
While passwords come with their problems, experts generally feel that they still present a valuable defence against hackers.
“While there are undoubtedly weaknesses within traditional passwords, the ease of use, compatibility, and low-cost still make them a feasible offering for the foreseeable future,” Malik insisted.
Yet, with teaching internet users to use good password practices proving to be an impossible task, many recommend a multi-layered approach.
“For many IT professionals, the answer lies on some form on multi-factor authentication procedure,” Warrington said.
Multi-factor authentication is already growing in use, requiring users to approve login attempts via a second device, and many feel that combining this with alternative methods, such as biometrics, would provide a solid defence.
However, it adds another step for account owners that many may be unwilling to do. According to Warrington, going password free while using the secondary verification of two-factor authentication could be a possible solution.
“What seems to tick both boxes here is the emergence of new, password-free, mobile push-based authentication systems, which increase security but do not impact on customer experience,” Warrington said.
These systems ask new users to scan a QR code with their mobile device, which creates a link between the user account and the mobile device. When the user next logs in, a push notification is sent to their phone asking them to grant access to the account.
“These messages are sent using a different network – generally, the cellular network – making interception by malware or other criminal monitoring of data activity very difficult,” Warrington explained.
Passwords take the blame for poor practice
Passwords have had a tough time of late, and in many cases due to no fault of their own, but, we should give credit where credit is due – passwords have served us well for this long, despite our best efforts.
“The traditional password can still provide adequate security; it’s the way that most of us currently create and use passwords that isn’t adequate,” Oz Alashe, CEO of cybersecurity awareness platform CybSafe told Verdict.
Password reuse is still rife, while internet users still too often opt for simple, easy to crack passwords that continue to put them at risk of brute-force attacks.
Technology may offer new ways to protect our online accounts, but the most immediate way to improve account security is to use passwords properly.
“Fingerprints, voice and facial recognition are increasingly being touted as go-to methods to securing devices and services. And while these are a useful short-term boost to improve usability and accessibility, they are also a risk,” Matthew Aldridge, Senior Solutions Architect at Webroot, stressed.
“The password may be older than the devices and services we use them on, but they are still an effective cyber defence if used in the right way.”