Cybersecurity and the post-password internet
Since the invention of the internet, passwords have been a staple of identity verification. Historically, passwords were intended to serve as the first line of defense in protecting one's sensitive information stored on the web. However, with the rapid pace of technology expansion and innovation, sophisticated cybercriminals have identified ways to surpass password protection. In fact, the frequency and sophistication of cyber attacks continue to accelerate. And with that acceleration comes the realization that many data breach instances are caused by poor password management -- opening myriad new threats such as spear phishing, ransomware and even breaches of third-party services.
Take for instance the Uber breach of 2017. Hackers discovered a vulnerable server in which company developers had published code with usernames and passwords in plain text. Hackers were able to steal the personal information of about 57 million customers. Targeted phishing attacks, which appeared to come from Uber, then attempted to trick unsuspecting customers into providing personal information, such as account credentials or payment card information.
Complicating matters even more, password protection in the Internet of Things (IoT) era has created a significant challenge for enterprise organizations. With over 8.4 billion devices that generate, store and share unprecedented amounts of data, the IoT makes it difficult to dutifully secure personal information. However, the IoT presents a risk not just for the enterprise audience, but for the consumer population as well. For example, in 2017 hackers were able to exploit a vulnerability in the thermostat of a fish tank in a Las Vegas casino to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers – and all their personal information. Every single connected device is vulnerable.
Passwords as we know them -- a string of letters, numbers and special characters -- suffer a dwindling shelf life.
Providing Passwords a Helping Hand
So, how do we keep our information secure as passwords fade into obsolescence? There are more than enough alternative means of authentication to fill this gaping hole:
1. Biometrics
Widely pegged as the technology most likely to supplant passwords, biometrics manages verification based on measurable biological traits. Once considered a futuristic pipe dream, many of us have already interacted with facial recognition software through our smartphones. Innovative technology leveraging eye, finger veins, heartbeat scans and even ‘voiceprints’ are destined to become the next wave of implemented security procedures.
The financial services industry inclusive of banking and payments has already leveraged specific biometric authentications such as Touch ID, and even Selfie Pay for security. As more industries rush to adopt biometrics, it’s likely that we’ll see consumers become increasingly comfortable in making the shift over from traditional passwords.
2. Blockchain and Digital IDs
Blockchain and digital IDs are also poised to have a huge impact on the ubiquity of passwords and are further examples of technology that will help to replace passwords found within third-party vendor sites that are vulnerable to impending breaches. As soon as one’s digital identity in the blockchain ledger is verified, they are therefore sworn in as members of the consortium. From that point forward, the end users identity can be validated without passwords, by presenting their digital keys (managed by a bitcoin-type wallet) to the blockchain ledger. With blockchain, identity management is also inverted, so the end user has the ability to control where their identity information goes.
However, it’s critical to note that while blockchain has shown great promise on the authentication front, it still has a way to go in terms of cybersecurity. In fact, there have proven to be several bugs, as the interception of certain payment transactions has had a track record of happening on public applications of blockchain, such as in cryptocurrency. However, for enterprise applications of blockchain, a closed community shares the blockchain, which in turn, makes it more secure and less susceptible to any type of interception.
3. Tracking Digital Behavior
Many companies are now implementing tools to learn employees' digital behavior. Leveraging this technology, a company can identify when an unauthorized person is trying to access information. Every user’s behavior profile identifies activities such as how someone holds the phone, whether they type with one or two hands, and how they scroll between screens; this data is then collected and, when coupled with advanced analytics, artificial intelligence (AI) and machine learning, can be used to identify individuals attempting unauthorized access.
The connected economy has forced us to redefine what security truly means. Gone are the days where using your mother’s maiden name as verification backup will suffice to ensure protection. Today, understanding an individual’s digital behavior serves as a more reliable means of proper authentication.
While the traditional password security we’re so familiar with is nearing it end, this isn’t to say that there is no place for it in the world of authentication. Our digital society needs a more comprehensive method as a primary means.
As consumers make the shift from the time-honored password, companies need to ensure a seamless transition from our familiar usernames to innovations such as biometrics, blockchain and the implementation of digital IDs. When enhanced with advanced analytics, machine learning and AI, the efficacy of these technologies is even more pronounced. Given the expanding threat surface that every enterprise organization is faced with today, business decision makers should invest in sophisticated security measures that will, in turn, strengthen their overarching risk posture.
About the Author:
Mordecai Rosen is General Manager of Security for CA Technologies