Passwords are the cornerstone of cyber security. The problem is that users tend not to follow the recommended best practices to make their passwords secure. Additionally, passwords can be leaked due to security breaches. For instance, 68 million Dropbox user credentials were stolen in an incident in 2012. Since such risks are escalating, organisations have been working hard to find better alternatives whose effectiveness varies. Even though passwords may not completely be replaced anytime soon, these alternatives will, without a doubt, provide much-needed additional security layers.
Additional security layers
Security questions are probably the most common policy used in tandem with passwords. They are usually about the users’ background and habits. The main problem with security questions is that they are researchable. So it is not particularly hard for attackers to figure out the answers to these questions.
Two-factor authentication is getting more and more popular, especially among financial organisations. Apart from passwords, users also need a randomly-generated code that is sent to their security tokens or cell phones. Two-factor authentication is now a feature in most online banking systems. Still, there is a risk of stolen tokens or phones.
Many organisations are betting on biometric security, in which a user’s identity is verified by biometrics such as fingerprints, voice or facial patterns. Such features are unique to each individual. Biometric authentication systems are getting increasingly sophisticated and affordable to be widely deployed. HSBC, for example, is rolling out biometric security apps, for iOS and Android devices, replacing passwords or PIN numbers.
Biometric security systems are not unbreakable, however. Fake gelatine fingerprints were shown to be able to fool fingerprint scanners. Facial recognition technology also can be fooled by photographs.
Some experts, therefore, suggest that biometrics should be used as an alternative to usernames rather than to passwords. For example, users will scan their fingerprints then key in passwords. Biometrics can also be used in the two-factor authentication process.
The future of passwords
Google is working on a new technology to replace passwords altogether. It will use a metric called trust score for authentication. Trust score is calculated using typing speed, voice, facial recognition, as well as proximity to familiar wireless devices. Users will be asked to submit their passwords if their trust scores are lower than the minimum threshold.
In the meantime, organisations should enforce password security requirements and strict group policies for their systems. A secure password should have at least 8 characters, use a combination of upper, lower case characters and special symbols. Passwords for sensitive systems should be unique and changed every 2 months.
When it comes to data protection, it is essential that employers stay proactive and use a multipronged approach, which combines technology, human, and organisational measures. You can find out more about this issue by downloading our White Paper “IT Pros Guide to Data Protection”.