Insights • Blogs/Articles

Are passwords really secure, or is it time to ditch the stand-alone password in favour of more secure forms of authentication?

Sarah Small

Global Partner Marketing Manager

Sekura Mobile Intelligence Ltd

Despite the rapid advances in technology that have created a set of super-secure cyber authentication methods, many businesses and individuals still rely on the simple username and password for their online security. In the light of this, the question that needs to be asked is ‘can we rely on the password alone as a means of secure identification, or is it time to fully-embrace the age of multi-factor authentication?’

 

The Password Memory Test

Passwords have their place, but unlike other authentication factors, they are inherently unreliable because they rely on human behaviour to keep them secure. According to one study, the average person has roughly 100 passwords to manage at any one time across their work and personal lives – no wonder most people don’t put that much time or effort into creating strong, complex passwords.

Of course, the easiest way to remember all these different login details is to create simple, easy-to-remember passwords, or to re-use the same or similar passwords across multiple accounts. Sharing passwords between family and friends, to allow access to paid for TV subscriptions or to access resources at work can become a normal part of our online behaviour, and all this leaves us open to password fraud.

 

  • 50% of people use the same password for all their logins. (Source: Lastpass)

 

  • 51% of people have the same password for their work and personal accounts. (Source: Dataprot)

 

  • Over 80% of data breaches are due to poor password security. (Source: Idagent)

 

How tricksters steal your passwords

Criminals have several ways to get their hands on poorly protected passwords, such as:

 

Phishing and social engineering

Cybercriminals use clever tricks to manipulate individuals into divulging confidential or personal information that they then use to commit fraudulent acts. Phishing is perhaps the most well-known, and is where hackers pose as legitimate, apparently trustworthy, entities such as family, friends or businesses you’ve had previous dealings with. By sending a text or email from somebody that looks genuine with the request to click on a link or attachment, they can trick you into downloading malware or persuade you to hand over personal information.

 

Credential stuffing

Hackers gain access to lists of stolen credentials in bulk and use automated login attempts to forcibly hack their way into accounts and services. This strategy can be hugely successful where simple passwords are reused across multiple accounts.

 

Password spray 

Hackers acquire lists of potential users and try the same commonly used passwords to access accounts. This strategy is aided by the use of easy-to-remember and commonly used passwords such as 123456.

 

Data breaches are becoming a huge problem and with thousands, if not millions, of passwords stolen each day, it’s becoming obvious that relying on the password as a secure identity factor is simply not enough and that it is indeed time to embrace multi-factor authentication.

 

What is Multi-Factor Authentication?

Multi-factor authentication enhances security by layering another method of authentication onto the username and password ‘first factor’ during the login process. By adding a second authentication method, a criminal trying to access an account using a stolen password only is not able to gain entry without access to the additional ‘second factor’ layer of protection.

In addition to the username and user-controlled password, other examples of authentication ‘factors’ include PIN numbers, biometric data – such as a fingerprint, voice recognition, face or retina scans – or hardware or software-based access tokens.

Secure authentication methods utilise one or more of these factors to validate that the user or device is who or what it claims to be. These factors are commonly described as follows:

  • Something you have: a ‘possession’ factor – something you have with you at the time of requesting access into a service. This could be your mobile phone or a hardware access token such as a bank Secure Key
  • Something you know: a ‘knowledge’ factor – something only you should know, such as your secret password, access PIN, or a temporary One-Time Passcode (OTP)
  • Something you are: the ‘biometric’ factor – something that is unique to you like a fingerprint, voice profile or facial recognition scan

Single-factor authentication (SFA) is the use of one of these factors to access a service (for example a username and password), while two-factor authentication (2FA) requires the use of two separate authentication methods, such as username/password followed by entry of an OTP or confirmation of a biometric factor. Any form of authentication that utilizes two or more distinct methods is referred to as multifactor authentication (MFA).

Multi-Factor Authentication blocks 99% of all password safety issues. (Source: Microsoft)

 

Mobile Authentication offers a real-time authentication solution

Creation of a secure second authentication factor is not as simple as it seems. The key to a successful solution is that it is secure (hard to intercept or hack), easy to use or manage (i.e., delivering a simple, non-invasive user experience), cost-effective (not prohibitively expensive to manufacture, distribute and maintain) and ubiquitous (available to all, or nearly all, users). The options already listed above all suffer from shortcomings when measured against at least one of these criteria.

Mobile authentication uses trusted, secure mobile operator technology to deliver a non-hackable real-time check that confirms possession of the mobile device at the time of transaction – ‘something I have’ – without requiring the user to locate or enter an OTP, download and app or find and use a Secure Key hardware token. It’s cheap to run based on a cheap transactional model – no upfront investment required – and is accessible to all connected mobile devices.

Through integration of a simple API into an existing app flow the mobile device possession can be checked seamlessly and the user allowed access to their service without any impact on the user experience. Overlaying other mobile identity attributes, such as name/address checks or SIM Swap flags can help strengthen the authentication value by adding ID verification and account takeover checks to add confidence that the user is who they say they are.

 

Whatever methods of authentication used, it’s clear to see that the use of passwords as a stand-alone means of authentication just isn’t enough to keep the criminals out. In order to prevent fraud and provide users with a seamless and secure customer experience the adoption of multi-factor authentication into the user flow will protect both your business and your customers and ensure you are in the best position to protect your business against potential cyber-attacks today, tomorrow and in the future.