In a recent Wall Street Journal op-ed, President Obama announced the launch of a new national awareness campaign to “encourage more Americans to move beyond passwords — adding an extra layer of security like a fingerprint or codes sent to your cellphone.”
The shift from single passwords to multi-factor authentication couldn’t be timelier or more strategic.
Fact: passwords alone are no longer effective. This is something both sides of the aisle can agree upon. 2014 went down as “the year of the hack” when a Russian crime ring on its own stole more than 1.2 billion passwords. Since then, password theft has become a mainstay in the news, with a high-profile breach of 320,000 login details at Time Warner at the top of a very long list. When we combine this data with the fact that “123456,” “password,” and “qwerty,” are among 2015’s top 25 passwords, it’s clear the public is in acute and ongoing danger of falling victim to debilitating invasions of privacy.
What’s at stake? Access to bank accounts, lines of credit, health records, wills and end-of-life directives, information about our children, full correspondence records over text and email, and so on. When thieves take our passwords, our entire personal profiles are available for them to use at their discretion.
Some consumers are savvy enough to know not to open emails or links from names or domains they do not know or trust. Many have trained their eyes to spot suspicious headlines or URLs. On the other hand, when people receive an email from a friend, they are much likelier to open the message. Or when they get a bill from their bank, they pay it. This is exactly where attackers prey on the unwitting masses.
Once open, these impostor emails contain keylogger software that automatically records every keystroke the user makes, including passwords, chat messages and any other action on the browser. Keylogging works by exploiting known vulnerabilities to Java or Flash, for example, which users hardly keep up to date, and then sending any captured information directly to the bad guys.
Net-net: This is an extremely precarious situation and the time to act is now. The President has answered the call.
As the name implies, multi-factor authentication (MFA) requires more than one piece of information to gain access to sensitive data. Even simple fingerprint readers provide a layer of security beyond a password that would prevent the scale of breaches we’ve witnessed over the past two years. While not perfect, this is significantly better than a single line of defense.
Taking a step back, it’s worth operating from the vantage that attackers already have our passwords. Why not? By now they easily have a couple billion of them. Imagine adding a security question to the password. Now the hackers have to do a little more work. Or let’s say logging in requires both a password and entering a code that is sent as a text message to the user’s mobile device. This is even stronger than the security question, because the hackers also would have to gain access to the user’s smartphone. If that phone required a fingerprint to access text messages, it’s easy to see how much larger the barrier is to thieves trying to break down the door. In this scenario, attackers would need the actual phone and a fake fingerprint — or the ability to intercept messages on their way to this particular device.
None of these solutions is perfect, but they do represent a call to arms and a monumental shift in the right direction. As an industry, MFA buys us the time we need to move away from passwords towards better, more secure methods of identity verification. Analytics, heuristics, behavior — these are all the sci-fi methods of tomorrow, just like mobile phones were the sci-fi methods of yesterday.
Ultimately we will get closer to perfection — but only if we’re smart about using the best methods available to us right now.
To learn more about MFA Everywhere, join guest speaker Andras Cser, Vice President and Principal Analyst at Forrester Research and Cheryl Tang, Product Director at Centrify to learn how to stop attackers in their tracks with MFA, and the steps to take to further mitigate risk from compromised credentials. Register here.