Tayla Ansell looks at some alternatives to passwords for data security
Ever more frequent consumer security breaches highlight how inadequate passwords have become as a means of protecting data and accounts.
The problem is not just the large number of online accounts people use and the advice to have a unique password for each one. As Martijn Verbree, partner in KPMG’s cyber security practice, points out, even if you do use a unique password for each service, simply having your email account hacked could leave many other accounts vulnerable.
“When an email account is breached, it opens up access to other non-linked accounts that often use emails to validate password reset requests. Irrespective of using same/different passwords, in this situation, the compromise is wider than just the one primary account,” he said.
Yet, still passwords are often the only line of defence. According to the latest Gemalto Authentication and Identity Management Index report, only 30% of UK businesses use two-factor authentication, combining something someone knows (e.g. a password) with something they have (e.g. a smart card).
Verbree added: “It is clear passwords are the weakest link and more needs to be done by businesses to enable other forms of authentication to prevent cyber breaches. We all need to move towards a more sophisticated approach to authenticating people, which blends the use of a two-step validation, behavioural analysis and contextual information, rather than relying on knowledge of a single increasingly user unfriendly password.”
Although still in a minority, more businesses are using alternatives to the traditional password or additional methods of authentication to use alongside a password in a two-step verification process. For example, when signing into your Google account you can now receive a text message with a code to confirm your identity.
Facebook recently upgraded login security for its 1.79 billion users by integrating the unphishable FIDO U2F (universal second factor authentication) Security Key into its social platform. Users can now protect accounts with a physical Security Key like the YubiKey by Yubico.
Yubico and Google co-created the open authentication standard U2F with public key cryptography on an internet scale. The YubiKey plugs into a USB port or connects with a mobile device via NFC, enabling the user to authenticate with a simple tap. It can be used to access a number of online services (e.g. Gmail, Dropbox and UK government services) and prevents unauthorised access to accounts.
Another physical security key, the blukii SmartKey, provides two-factor authentication automatically via Bluetooth. The key pairs with your mobile device and can be integrated into a key fob, pocket pen, clip or badge.
blukii also has a notebook protector, which uses a Smart USB Dongle to lock access to your laptop when you are away and unlock it when you return. If someone tries to get access to the laptop, an alarm sounds and an email with images of your computer’s surroundings is sent to a predetermined address.
Biometrics and behaviour
Biometric authentication is also becoming more common as an extra line of defence. Fingerprint readers and iris scanners are available in smartphones and several banks (e.g. HSBC and Barclays) have introduced facial and voice recognition to verify customers. Because physical biometrics are unique to each individual, they remove the need to remember (or write down) information – a major weakness of passwords and PINs.
Researchers are continuing to explore new methods of authentication. Scientists at Binghamton University in New York suggest that heartbeats could be used for encrypting and storing personal data, because each one is individual. They point out that a doctor could use an ECG-based biometrics solution to access patient files simply by holding a sensor to the patient’s skin.
Robert Capps, VP of business development at NuData Security, said: “As more business moves online, it’s important for us to look for new and stronger methods to positively identify consumers online. The use of bioinformatics for online human identification (such as heart rate or body temperature, oxygen saturation etc.) is a promising area of study that would provide a unique way of strongly identifying individuals while reducing the opportunities for online criminals to impersonate a legitimate user.”
He adds the caveat that, as ever when data is collected and compiled, there is the risk of theft and misuse and that this is especially grave when dealing with data, such as health diagnostics information, that comes under the remit of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a US law setting data privacy and security standards for safeguarding medical information.
Capps points out that in the future passive behavioural biometric technologies might also have a role to play in strengthening online consumer identification. These validate factors such as how someone walks, how they sit, how they type or how they hold their phone, which, again, are unique to each user. Importantly, the user doesn’t have to do anything.
“Passive behavioural biometric technologies currently exist that are used to uniquely identify users. These solutions are passively collected and dynamically analysed and have the benefit of having an extremely limited shelf life of usefulness, making theft and successful reuse of raw behavioural signals nearly impossible,” he explained.
Until devices are smart enough to authenticate users without the user having to do anything, utilising two factor authentication is the simplest way to add an extra layer of security that makes it more difficult for fraudsters to steal information.