Nothing is secret: Moving beyond passwords to strengthen account security
This is a guest post by Stephen Ritter, CTO at Mitek
King of Queens might not be the first place anyone would look for a security lesson, but one episode in particular is a perfect parallel to today’s struggle for data privacy. A stranger appears at the front door of main characters Doug and Carrie. He tells them his car broke down and asks to use their phone so he can call a friend for a ride. Then, he asks, “What’s the address here?” Without hesitation, Doug tells him, and Carrie is immediately upset that he revealed their private address. Doug responds with, “It’s on the door!”
And there’s our lesson on passwords.
A key under a mat is still a key
An address for someone’s home is private, a piece of information typically only shared with trusted parties – loved ones, certain businesses, the government, etc. Although, as Doug noted, the man could’ve easily walked outside to look at their house number and street name. This is true for much of the personal information that people hold dear; social security numbers, payment information, passwords and more. A difference exists in how this information is exposed and shared, but the fundamentals are the same. Our sensitive information might not be written on our front doors, it’s still “out there.”
Passwords based on public information that someone may guess are not a secret. Likewise, any kind of identity verification based on publicly accessible data can be dangerous. It can be compared to hiding a key under a mat – while it might be out of sight, it still exists and does not prevent an intruder from discovering it. While these methods can be convenient because they offer low friction, they also leave the user vulnerable.
Any password that can be compromised will be compromised
It’s tempting to be optimistic that with the right strategies we can keep our sensitive information a complete secret. However, in a day and age when 4.1 billion records can be exposed in a matter of six months, the best data protection strategies will be born when we start assuming any information can and will be compromised.
One of the most effective ways to protect sensitive information is not searching for an unassailable method to keep it secret (although that will always be a priority). Supporting passwords with measures centered around a person’s unique traits, public and visible though they may be, will actually provide more account security. Combining text-based passwords, facial biometric scans and official ID documents, for instance, doesn’t rely on “secret” information but still provides a much more secure barrier against unauthorized account access.
Deprioritizing secrecy, prioritizing uniqueness
As early as pre-school, we unwittingly learn about the power of biometrics when we’re taught about our unique fingerprints; even identical twins don’t share the same ones.
Biometric markers — physical ones like fingerprints, facial measurements and retinas, or behavioral ones like voice inflection or how someone scrolls on their phone — are one of the most effective tools to defend accounts against hackers and fraudsters. A password can be stolen via phishing or determined through trial and error, no matter how secret it’s kept. The intricate patterns and markers on the human face may be on display at all times, but they’re significantly more difficult to spoof.
Authentication measures like retina scans or facial scans provide a simple user experience and exponentially more security. With liveness detection ensuring biometrics are provided on the spot by living, breathing people, these safeguards become even stronger. Bad actors attempting to takeover an account can’t hold up an image or use a mask of someone’s face to fool the system; it will be identified.
Connecting the digital and physical worlds with identity verification
Harnessing those ultra-precise, unique biometric markers will level up account security a great deal, but they are limited in what they can do on their own. Adding another layer, identity verification, which links those biometrics to a real, verified person, will ward off even more sophisticated fraudsters.
By comparing a person’s biometric markers to the ones depicted on a genuine, government-issued photo identity document, identity verification guarantees that the person creating an account is who they claim to be. Tying a live image of an account holder’s biometrics to their identity documents creates a much stronger safeguard against fraudsters, who now need to create near-undetectable replicas of both a live face and government document to gain access to an account.
This technology can be implemented to improve both the “forgot my password” and two-factor authentication workflows. It takes just one compromised email account for fraudsters to wreak havoc and use it to access or reset passwords to all other services a person uses. Inserting biometric authentication and identity verification brings this chain of events to a screeching halt, rendering takeover efforts useless without the account’s owner.
Just because information is private, doesn’t mean it’s a secret – and certainly not a secret that can protect sensitive accounts. As companies seek to strengthen account security, harnessing what is not secret but is inimitable, faces and physical markings, will foster a much safer ecosystem and help what’s private stay that way.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.