Alexey Khitrov, president and CEO at ID R&D in this article talks about how in industries, the central focus is to authenticate users quickly, painlessly, and—above all—accurately. Driving this is the rapidly-growing number of connected accounts on devices, applications, and websites.
Most companies, no matter how advanced their offerings are, remain committed to managing authentication methods that aren’t entirely secure or effective. Too much focus has been on verifying that a user has the proper credentials to gain account access, rather than on positively identifying and confirming the presence of the authorized user. It’s the difference between someone having what John Doe uses to log in vs. the confirmed presence of John Doe. To best protect data and earn customer trust, companies need to move from thinking about authentication as a process of simply authorizing user access and move toward a process of positive user identification.
Passwords Are Still Too Prevalent
While passwords effectively protected the very first programs and websites available on the Internet, forty years of technological innovation have led to little change in how businesses use them.
A recent studyOpens a new window from One World Identity found that nearly 40% of websites and 47% of applications still rely singularly on passwords for user authentication. At a basic level, passwords alone can’t make up for users’ all-too-common failure to follow best security practices. Users share passwords, rely on the same passwords across multiple sites, or change passwords infrequently. Even when users are careful, security breaches beyond their control occur with alarming frequency.
As increasing numbers of consumer records become electronic, protecting user data has never been more important. Yet passwords simply can’t meet the security challenge. Presenting a random string of numbers, letters, or symbols doesn’t prove you are who you are, just that you have the information needed to gain account access – no matter if that information has been shared, stolen, or sold.
Learn More: “Coding†Your Way into a Career in Cybersecurity Opens a new window
Multifactor Is Good, But Not Always Good Enough
As more organizations recognize the weakness in password-only security, the move toward requiring more than one method of authentication, multifactor authentication (MFA), is an encouraging one. But MFA is complicated and can be rendered useless if not implemented well. Additional security steps can add effort and friction, frustrating the user without necessarily improving security. For example, security questions, often based on data easily available through a Google search or a well-intentioned call center agent, can quickly become a vulnerability in the hands of a determined hacker. Requiring a secondary step of a one-time texted PIN is useless if a phone has been stolen and a fraudster has full device access. The recent spate of well-publicized SIM swaps, where hackers take control of a user’s cell phone number in order to receive backup security codes and PINS, gaining unfettered account access, highlights the vulnerability of MFA. Worse, it’s not rare. In fact, social engineering and technical attacks in hacking attempts are a growing concern, so much so that the Federal Bureau of InvestigationOpens a new window recently released a public warning about the rising danger.
Many businesses are making the mistake that stronger authentication requires extra steps or divulging of additional personally identifiable information (PII). But quite the contrary, by requiring PII, companies may be putting their customers at ever higher risk of data theft.
The Biometric Frontier
Recognizing the need to bolster security beyond passwords, PINs, and security codes, many enterprises are deploying biometric systems for authentication. While tying one’s identity to a unique biological marker or characteristic offers higher accuracy, even these methods are at risk of being spoofed by bad actors. At the Black Hat conference in July, researchers from Tencent demonstrated how they were able to fool Apple’s Face ID using a pair of glasses and a couple of squares of black tape. In August, the Wall Street Journal reported on a UK energy firm that was tricked into transferring nearly $250K by a fraudster who used artificial intelligence to mimic the voice of a company executive. Biometrics significantly improve authentication, but without also verifying an authorized user’s physical presence or “liveness,†organizations leave the door open for determined hackers.
The Next Step: Positive Identity Verification
What all organizations need to recognize is that positively identifying a customer is more complex than simply authorizing access. Whether its passwords, passcodes, PINs, or biometrics, reorienting toward that goal means a major shift in how most companies identify their users.
To meet today’s security challenges, authentication systems must add another layer of identification, one that confirms the authorized user’s actual presence or “liveness.†Not just “This is the user’s password, voice, or face,†but “This is the user.†It’s a two-pronged process; verifying a user possesses the correct authentication information, and that the user is not being impersonated or falsely represented.
Learn More: 4 Pillars of AI-Based Email SecurityOpens a new window
Implementation of Better Identity Management Is in Sight
Recent regulatory initiatives like Strong Customer Authentication (SCA) in Europe provide a useful direction for companies looking to strengthen authentication through better identity management. The requirement mandates that payment service providers require two of the three following identification elements,
- Knowledge (something the user knows: a password, a pin),
- Possession (something the user has: a phone, a key), and/or
- Inherence (something the user is: a voice, a fingerprint, a face)
To prevent circumstances such as a stolen phone being used to receive a one-time password, the SCA also requires that one element can’t be dependent on, or compromise the reliability of, the other.
While no security system is wholly impenetrable, businesses following this direction take a giant step toward better user data security that centers account access around user identity. Systems should ensure that MFA methods are fully independent of each other and confirm the presence of authorized users, not just rely on a log-in combination that can be easily shared, stolen, or spoofed.
No global consensus exists around user authentication and data protection, but smart security teams should look in the not-too-distant future and consider the many benefits of early adoption of strong(er) security. Requiring positive identification decreases risk and controls for poor user security practices. Above all, it demonstrates a commitment to security and lets customers rest assured that you’re as sure about their identity as they are.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!