Back to the secure future: The need for multi-factor authentication
By Ján Lunter, Founder and CEO of Innovatrics
Apparently, doomsday won’t be a meteorite strike, but a cyber-security tragedy: According to the Allianz Risk Barometer, cyber incidents are companies’ biggest fear (44% of responses), followed closely by business interruption (42%) and natural disasters (25%).
In a climate where cyberattacks are at their peak (with brute force attacks on passwords being the most common), it’s no surprise that IT professionals at Fortune 500 companies like Google are pushing forward new security regimes. One business after another is adding multi-factor authentication (MFA) to its security infrastructure – and biometric technology is becoming the most sought-after element with an expected market growth to $55.42 billion by 2027. But what’s wrong with traditional passwords, and what do companies need to do to ensure a secure cyber environment?
Let’s explore the latest trends in authentication methods and find out why incorporating biometrics into any of them offers double protection against cyber threats.
Why passwords can threaten your company’s future
Before getting into why passwords are flawed, let’s go through the following list and count what mistakes everyone of us has committed in the past:
- Forgot a password and needed to recover an account
- Used the same password twice
- Kept the default password for too long before updating it
- Shared a password with a colleague
- Used the same password for more than three months
- Used the same password for personal and work accounts
Most people will cross off at least three bullets from the list, but there’s a good excuse for that: Too often, we are not even aware of the immense risk we were taking by sharing, copying, or writing down passwords for accessing digital services. IT companies are trying to help, for example by warning that you’re using a known leaked password, but less than a third of the users actually heed the alert.
Nevertheless, a leaked password isn’t all about human carelessness. Passwords are becoming easier to crack as hacking technology advances: With the help of automated scripts, fraudsters can go through all possible combinations of credentials (by most common words, number combinations, and so on) and, this way, gain access to user accounts. A single password leak can have a huge impact. Hackers’ ultimate goal is to hack a single account (e.g. main e-mail address) and access all other passwords in the same stroke.
It’s high time that passwords cede their service, not just because of the ease with which hackers crack passwords and steal data. According to a Gartner Group study, password management costs organizations between $70 and $200 per user per year – whereas multiple-factor authentication starts with $1.40 per user. There’s also the inconvenience of remembering passwords and recovering them when memory fails. Most of us use web browser autofill,limiting the user to a specific browser or even device. In an ideal world, we’d remember all our user data and passwords for every website we’ve ever had to log into – without having to use the same password twice or write it down. You can imagine how far we are from that ideal world.
You need multi-factor authentication (MFA) instead
The recently conducted Ping Identity Survey revealed that IT and security professionals consider multi-factor authentication the most effective security control they have in place for protecting both on-premises and public cloud data.
As the name suggests, multiple authentication methods work with several authentication factors that a user has to provide with each login attempt. These factors are usually something a user has (a phone token or device like a USB key), something the user knows (a code), and something the user is (biometric identity). The lowest number of factors required for authentication is the two-factor authentication method. Companies could start by using two-factor authentication (2FA) with a password system and token-based authentication, such as a verification code sent by email or an app like Authy or Google Authenticator.
However, companies should not forget the importance of the user experience. Using two apps is often perceived as cumbersome, with users having to switch between apps or even devices and copy codes and passwords from one to the other. In addition, even though these apps boost security compared to a simple password method, fraudsters can still easily bypass this type of security system. In one famous case, hackers gained access to Dorsey’s Twitter account with a SIM swap attack by getting a mobile carrier to switch the service to a new phone.
That’s why more and more businesses are opting for biometric identification technology. It requires a user to scan their fingerprint, iris, or other biometric characteristics and takes only about a second to confirm that the owner of the stored biometric data is the same person trying to log in. Apple iPhone users will know how fast the newest feature on the iPhone, the face ID, allows Apple store purchases – and this minuscule effort of looking into a screen can become the future of all digital access.
And while there have sometimes been glitches in the past – such as failing to identify someone correctly when wearing a facemask – thanks to e.g. Passive Liveness Detection, the biometric algorithm can even more accurately determine whether it’s your real face or not. This update on the technology uses image recognition and deep learning techniques to detect even the slightest differences between a real face and an image, 3D mask, or a digital copy.
How to implement MFA with a biometric factor
Many smaller companies (47%) have not given up on the outdated password method because they have no understanding of how to protect themselves against cyberattacks. Besides, three out of four small businesses say they don’t have the personnel to address IT security.
Most solutions will work just fine using the smartphone-integrated fingerprint or face ID via the businesses’ application. Thanks to supplier technology companies, deploying MFA is much easier than many expect and cheaper than the alternative, a security hack. Here’s some guidance on how to decide on a supplier technology:
- Focus on solutions that all users can deploy without requiring additional hardware.
- Choose a solution that works with your existing IT infrastructure.
- Choose a solution that can be installed or integrated into an app infrastructure seamlessly without going to each workstation to install it.
- The MFA solution needs to be easily managed and allow administrators to respond to end-user issues quickly.
- When choosing FaceID, make sure your provider uses an unbiased algorithm and works with passive liveness detection.
How feedback matters for MFA
When you switch from passwords to MFA, informing your customers about the changes is imperative. Use emails, newsletters, or social media channels to make your audience aware of the new security infrastructure adjustments. Blog and social media posts on how to use the new feature and its impact will allow you to start a discussion with users. By soliciting feedback, you can gauge the effectiveness of your new security system and identify issues as well.
Try to find out the following key indicators regularly:
- How often does identification fail?
- Are the onboarding process and the actual authentication method fast enough?
- Are customers experiencing issues when logging in?
- Does a re-set work flawlessly?
As with all security systems, building a support system for your customers is necessary. First, you need to ensure that you provide your customers with the essential resources and information about their privacy and ensure that their biometric data (which is very sensitive) is secure.
Second, you need to provide enough information about how the MFA system works and what customers need to do if they have problems with their log-in, the system can’t identify them correctly (re-setup process), or their technology fails. Only by assessing performance and gathering feedback will you improve your customers’ experience over time and optimize your security infrastructure.
Regardless of which vendor and option you choose, the need to implement a reformed security infrastructure is becoming more urgent. You may still be reluctant to upgrade your channels to the new technology and protect yourself from the cost of tarnishing and customer feedback. But don’t simply stay blind to the true cost a hack has on your business: An immense damage to your reputation can’t be recovered as quickly as a lost password.
About the author
Jan Lunter is Co-founder and CEO of Innovatrics, which has been developing and providing fingerprint recognition solutions since 2004. Jan is an author of the algorithm for fingerprint analysis and recognition, which regularly ranks among the top in prestigious comparison tests (NIST PFT II, NIST Minex). In recent years he is also dealing with image processing and the use of neural networks for face recognition
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.