If you were a supervillain in James Bond, how might you minimize the risk of him hacking into your network? A simple username/password combo? Probably not going to cut it, especially if you’ve got a poor memory – which, let’s face it, is quite likely if you’re a 007 villain (how many times has he saved the world again?). What you’d need is another key, something that would be very tough for the secret agent to get his hands on…
As companies shift more information to cloud systems and encourage their employees to work flexibly, identity management becomes more important. With more “entry points” to choose from, cyber-attacks could increase in frequency if secure authentication isn’t in place (check out our Cyber Investigators campaign to discover what happens if the baddies are successful). The traditional username and password combination simply won’t cut it anymore, especially considering there’s evidence to suggest the human brain isn’t wired to remember lots of codes. More sophisticated solutions are required.
Fortunately, organizations are addressing the authentication problem. Social networks like Facebook, WhatsApp and Instagram are leading the way.
To address concerns around user privacy and security, Facebook announced in January it would be trialling multi-factor authentication, which we’ve been talking about on the blog for months. The basic idea is that people should possess and use multiple keys to gain access to information, minimizing risks of a hack. As well as a username and password, they should also have a token (often a text message, as any Twitter user will know). However, Facebook has gone for a better system, allowing people to set up an encrypted recovery code, accessible via your account on a different website. Whereas you’re a bit stuffed if you lose your phone after setting up a Twitter account, with Facebook’s new system you can acquire your login token through another account, such as GitHub. A great way of balancing security and convenience.
Facebook is also experimenting with U2F Security Keys, as demonstrated by its partnership with YubiKey. Users can purchase a YubiKey (a physical key) and link up their Facebook account via their account security settings. It’s a way of providing an extra layer of security – a hacker now needs to acquire your username, password AND physical key in order to seize control of your account.
Furthermore, WhatsApp – owned by Facebook – is also promoting good authentication practices. The messenger app now enables people to add an extra level of security to their accounts by asking them to provide a passcode for phone number verification. What this means is users will need to remember their passcodes and enter it into WhatsApp together with their email address to achieve access.
Finally, another member of the Facebook family, Instagram, has also equipped users with the option to enable advanced authentication systems. People can activate 2FA by simply going into settings and clicking/tapping the relevant option. The site will then provide you with codes you can use to access your account. A hacker’s life becomes more difficult, because they then have to acquire the tokens as well as user credentials.
We’re pleased to see these social media giants taking authentication seriously. More enterprises need to adopt multi-layered authentication, as cyber-attackers become more sophisticated and devious. What do you make of Facebook, WhatsApp and Instagram’s initiatives? Do you feel more secure about using your accounts? Let us know by tweeting to us at @Gemalto, or posting a comment below.