Despite the many advantages presented by online transactions, they can be risky business. In 2019 alone, the online world saw 157,525 security incidents and 3,950 confirmed data breaches. A large number of these compromises are helped along by the weaknesses present in current authentication methods; that is, by the weakness of users’ passwords or ease of answering their secret question.
To put it simply, authentication is designed to verify that an online user is who they say they are. Passing an authentication check grants a user access to an online account. Whenever someone’s user authentication isn’t secure, cybercriminals are easily able to bypass the system and take whatever information they want. Sometimes these criminals take money for themselves, other times they use a verified account to scam others out of money. Either way, a strong authentication system is vital to protecting any online account from assault.
In terms of authentication methods currently in use, passwords and security questions rank as the weakest. The onus is on the user to protect and remember multiple passwords, and answers to “shared secret” security questions are commonly available online. Out-of-band voice isn’t much better; voice calls can easily be intercepted or redirected, and users often require a second device to be able to answer the call. Time-sensitive one-time passwords are an improvement due to the code expiring quickly, but the practice is vulnerable to SIM hijacking, malware, and notification flooding attacks. Finally, biometric passwords are the highest form of security on this list because of how hard they are to fake and the convenience they pose for the user. However, this data is only secure if stored locally and protected by TPM/Enclave. If biometric data is compromised, it can be hard for the user to recover. One cannot simply change their fingerprints or face.
What about multi-factor identification? Ultimately, it varies. The strength of security depends on the weakest factor used. Furthermore, SMS authentication codes aren’t encrypted and can be intercepted. Some encrypted instant messaging apps are capable of sending codes to multiple devices. In addition, multi-factor identification can be inconvenient to users who have to jump between devices, remember passwords, and act before one-time codes expire. These issues with usability may erode compliance with best password practices, worsening the security outcome.
The authentication method of the future is known as asymmetric cryptography. Already universally trusted, this method is used to secure trillions of dollars in transactions daily. While the end-user is granted easy access, asymmetric cryptography looks at user identity, device security posture, biometrics, IP address, and geolocation to determine the validity of an access attempt. Eliminating passwords is a reality today with immensely secure, easy to use authentication practices.
To put it simply, authentication is designed to verify that an online user is who they say they are. Passing an authentication check grants a user access to an online account. Whenever someone’s user authentication isn’t secure, cybercriminals are easily able to bypass the system and take whatever information they want. Sometimes these criminals take money for themselves, other times they use a verified account to scam others out of money. Either way, a strong authentication system is vital to protecting any online account from assault.
In terms of authentication methods currently in use, passwords and security questions rank as the weakest. The onus is on the user to protect and remember multiple passwords, and answers to “shared secret” security questions are commonly available online. Out-of-band voice isn’t much better; voice calls can easily be intercepted or redirected, and users often require a second device to be able to answer the call. Time-sensitive one-time passwords are an improvement due to the code expiring quickly, but the practice is vulnerable to SIM hijacking, malware, and notification flooding attacks. Finally, biometric passwords are the highest form of security on this list because of how hard they are to fake and the convenience they pose for the user. However, this data is only secure if stored locally and protected by TPM/Enclave. If biometric data is compromised, it can be hard for the user to recover. One cannot simply change their fingerprints or face.
What about multi-factor identification? Ultimately, it varies. The strength of security depends on the weakest factor used. Furthermore, SMS authentication codes aren’t encrypted and can be intercepted. Some encrypted instant messaging apps are capable of sending codes to multiple devices. In addition, multi-factor identification can be inconvenient to users who have to jump between devices, remember passwords, and act before one-time codes expire. These issues with usability may erode compliance with best password practices, worsening the security outcome.
The authentication method of the future is known as asymmetric cryptography. Already universally trusted, this method is used to secure trillions of dollars in transactions daily. While the end-user is granted easy access, asymmetric cryptography looks at user identity, device security posture, biometrics, IP address, and geolocation to determine the validity of an access attempt. Eliminating passwords is a reality today with immensely secure, easy to use authentication practices.