If you’ve read part one, you’ll know that there’s a persistent problem with passwords. Despite the continued warnings, data breaches and endless guidance – a weak and easily hackable password guards a sobering number of online accounts and identities. Past experience tells us this is unlikely to change.
If we journey back to 2004, at the RSA Conference, Bill Gates predicted the death of the password stating: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
18 years on and we’re still at the stage where passwords are the dominant means of securing digital identities. With cyber-attacks and data breaches increasing in frequency; and cybercriminals becoming increasingly sophisticated; it’s vital that we head towards a password-less future.
The good news is this isn’t a futuristic pipe dream, but the technology is already there to make this happen; there are already some good examples in use.
Digital IDs gives consumers control and convenience
As discussed in our previous blog, it’s highly likely that that average consumer has passwords in the hundreds. These passwords will guard anything from their Netflix account, through to their online banking; while the security risks are very real, so is the temptation to use easy to remember phrases. In today’s digital age we all value privacy and control, but also convenience and efficiency.
Thankfully, the rise of Digital IDs mean that consumers get this level of control over their digital identities; all through one single point of access. At the same time, it provides authorities with the opportunity to create companions for physical identity documents that are: straightforward to issue, manage and verify; delivering a powerful tool to fight ID fraud, reduce red tape and boost efficiency.
Across the globe, digital identification is becoming more mainstream; with new measures constantly coming to fruition to make this the norm. If we look to the EU we have the introduction of the latest legislation on European Digital Identity – eIDAS2. eIDAS2 means that by September 2023, each EU Member State must make a digital ‘wallet’ available to every citizen who wants one. Service providers in both public and private sector organisations (such as banks and telcos) will have to accept it as proof of ID.
This acceleration isn’t just taking place in the EU – just earlier on this month the UK government proposed legislation to secure digital identify, even creating a the Office for Digital Identities and Attributes.
Bolstering security with behavioural biometrics
Most of us have become accustomed to using biometrics in some form in recent years; with facial recognition, or fingerprint readers becoming increasingly prevalent on most smartphones today. In many instances, these biometrics can also be used to verify purchases.
The virtues of biometrics as opposed to text-based passwords are well accepted – and recent advances in this technology means that we can look beyond fingerprint and facial recognition to an approach based on each individuals’ unique characteristics.
Behavioural biometrics is an innovative approach to user authentication. It can identify a user (or an imposter) based on a set of unique patterns, like the way someone: moves a mouse, type on a keyboard, or the time spent on an activity. These traits are also reinforced with device-based indicators such as IP addresses and geo-location data.
Risk assessment rules can then be applied to each transaction, ensuring that an appropriate authentication level is always actioned. For example, a low-value purchase made by a consumer near their home can be processed instantly. If a high-value purchase, not in keeping with that user’s normal behaviour, is attempted then the transaction can be blocked, or additional authentication requested.
The business case for a password free future
Our recent Data Threat Report found that nearly a third of businesses across the globe have experienced a data breach in the last 12 months. More often than not, the weakest link in the security chain is the employee. This is often through small but harmful mistakes – such as an easy to guess password. The new normal of hybrid working also opens up a new host of cyber security challenges.
Organisations should consider adopting access management solutions. One such example is password-less verification, which identifies users through methods such as IP address or multi-factor authentication. This will overcome the inherent vulnerabilities of text-based passwords, while improving levels of assurance and convenience.
In conjunction with this, adoption of a Zero Trust model, based on the principle “Never Trust, Always Verify”, requires employees to only access data they’re authorised to do so, while ensuring they verify who they are each time they require access.
Heading towards a password-free future
Throughout this two-part blog series, we have highlighted the various problems with passwords – but not without solutions. The technology is here, and already in use to help us do away with them for good.
That said, in the meantime, don’t use 123456, qwerty, password or 654321 to guard your online accounts!