Story image

Exclusive: Moving away from passwords to two-factor authentication

04 Oct 2018

Article by Ping Identity APAC chief technology officer Mark Perry

A decade ago, Microsoft put the number of passwords in use at 6.5 for the average user, across 3.9 different sites, but a decade of digital disruption has seen this number skyrocket.

More recent studies suggest the average employee has close to 200 secret letter/number combos on the go at any one time.

How well these passwords protect our sensitive personal identifiable information (PII) is open to question.

Barely a week goes by without news of a successful hacking attempt or significant security breach, at home and abroad.

June this year saw tens of thousands of users advised to change their passwords, after human resources company PageUp announced it had been the victim of a massive data breach, following unusual activity on its site.

Bank details, tax file numbers, dates of birth, addresses and other sensitive data belonging to individuals who’d signed up to the site were potentially open to compromise, according to media reports.

The good news for those who don’t relish trying to remember esoteric strings of numbers and characters – and having to change them regularly as a matter of course and urgently when hackers strike – is may be time to say adieu to all of them.

For good.

New developments in ‘zero log-in’ technology look set to redefine the authentication process as we know it and put paid to the dubious protection offered by passwords.

The evolution of zero log-in

A rudimentary form of zero log-in technology is already in use and fast growing in popularity.

Two-factor authentication systems which send us a confirmation SMS and secret code when we log on to internet banking from a new location, or attempt to transfer money to a third-party account for the first time, signalled the birth of the zero log-in process.

More sophisticated methods of verifying identity look set to follow in the near future. Amazon is testing biometric and behavioural means for confirming individuals are who they claim to be.

They include the pressure we apply when we tap our smartphones and our typing speed. These are nuanced and highly specific measures which will likely prove extremely difficult for potential hackers and cyber criminals to guess or replicate. Newer models of iPhones incorporate a variant of this technology.

They have the ability to detect and remember signals from other connected devices, such as cars, Fitbits and headphones.

While potential attackers may be able to fluke their way past some of these safeguards, escaping detection by all of them may prove more difficult.

No password, no problem – or is there?

While the brave new world of zero log-in promises plenty of upsides, it will inevitably have its limitations.

User concerns about privacy and the secure storage of biometrics and unique behavioural data are likely to heighten as increasingly sophisticated forms of the technology go mainstream.

It’s reasonable for individuals to experience a degree of disquiet at the prospect of their biometrics and physical locations being sent over the internet and stored in data vaults, possibly in perpetuity.

However secure the infrastructure, the possibility of its being hacked can never be ruled out entirely.

For individuals who are concerned about data privacy, this may be a fear which is difficult to allay entirely.

Concerns about individuals being monitored without their knowledge may need to be addressed with legislation and regulatory frameworks prior to the technology gaining widespread acceptance.

Making the switch

How soon and how easily will we make the switch from password protection to a zero log-in environment in which our phones and devices will recognise us by mere touch alone?

Effective regulation will be the key to adoption and acceptance, by both organisations and their customers.

Prioritising privacy and consent will likely result in users becoming more willing to abandon their secret alphanumeric strings in favour of the more secure, personalised and frictionless experience that, in time, zero log-in promises to provide. 

Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.
Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.