How the authentication landscape is changing [Q&A]
Recently there has been much talk of the death of the password and a switch to other forms of authentication, like biometrics, which are seen as more secure.
But is biometric security a complete answer, and do we risk swapping usability for security? We spoke to Perry Chaffee, vice president of strategy at password-less security company WWPass to find out about the latest trends in authentication.
BN: How is the security market changing its outlook with regard to authentication?
PC: Authentication tends to either improve security at the cost of convenience, or improve convenience at the cost of security. Very few solutions improve both. People have become so accustomed to instant gratification that speed and simplicity are the driving force for businesses and innovators. Companies typically gain positive traction for products that are convenient, but not necessarily for ones that are secure. As a result, most authentication solutions trade security in favor of convenience or at best are very small, frequently optional, incremental improvements on security.
BN: In what circumstances could biometric security for authentication be compromised or be an insecure way to verify identity?
PC: Large collections of biometric data have already been stolen, and once this data is compromised, it's difficult or impossible to change. You can't send out a message to your users saying, 'Your account is compromised, please change your fingerprints immediately.' The US Office of Personnel Management (OPM) breach impacted more than 21.5 million Department of Defense and federal employees, including complete sets of fingerprint images (not just biometric scans).
Biometrics can be useful as an additional factor, but should rarely be used as a first factor for any identification/authentication process. Systems using this approach must use a one-to-many matching system. This means comparing a fingerprint scan with all the other fingerprints in the system to find a match. The faster, safer, easier alternative is to use biometrics as an additional factor under a one-to-one system. With WWPass and other systems using this approach, a token or ID card would be used as the first factor to bring up an isolated data container where a biometric scan for that specific person is located. Then, the new scan of a person's fingerprint would be compared only to the one on file in the data container. By moving the biometric step back in the process, it completes the match quickly and more securely, and exposes the system and its users to the lowest level of risk.
BN: When a breach happens, companies ask people reset their passwords, but what other precautions could they take?
PC: If you're using the same password for several accounts (a terrible practice which many people are guilty of), you’ll obviously want to reset all of them – with different passwords for each.
People should be aware that hackers will also have their usernames, which might just be their email addresses. Most people won’t change their usernames, but hackers can check for accounts on other sites under that name or email, or just break into the email account itself. It's best to maintain different email accounts for different purposes like banking, social media, shopping online, etc, and keep them from ever mixing.
BN: How are retailers and similar enterprises losing revenue through their current shopper authentication methods?
PC: Paid subscriptions and trial accounts are often abused by freeloaders. For these people, the cost of creating a fake account to get another free trial, or borrowing credentials from a friend of a friend is cheaper than the cost of honestly paying for the service. Companies like Amazon and Netflix lose out on massive amounts of revenue this way. The best way to stop this, and also improve their user experience and security for their customers, is to stop using credentials which can be so easily faked, shared or compromised. Many cable and media services have capabilities that turn smartphones into TV remotes; from our perspective, we know they can use this same keyboard-less approach for subscriber login and authentication without sacrificing user convenience.
BN: What can companies do to thwart ransomware, aside from paying criminals or rebuilding from file backups?
PC: For ransomware, people usually mistake where their first line of defense is. Updating software and firewalls is important and providing awareness training for your employees and users is a good practice. However, the first line of defense are the credentials of your users and system administrators. These are the top target of hackers -- 81 percent, according to Verizon's 2017 Data Breach Investigations Report. It's easy to spend millions on traditional, conventional precautions to build a system like Fort Knox, then blow it all by leaving the keys under the front doormat.
Replacing human readable credentials with a system of hard tokens and IDs will do more to mitigate the risk of lost or stolen data than any other single action you can take. Moreover, while backups are essential, the method of backup is equally important. If the files are encrypted and stored in the cloud, are the encryption keys stored right with them (under the 'doormat')? Are they stored in just one cloud? Are the data sets resilient? If a part in one data center is destroyed, could it be replaced using data sets stored elsewhere? Ideally, the data should be encrypted, then fragmented, then dispersed across different data centers, operated by different providers, in different geographic locations. The data sets should be stored on different types of hard drives made by different manufacturers. This means that a vulnerability exploited by hackers on one type of device shouldn’t impact your complete backup, and you should be able to rebuild any lost data based on the remainder of your data in unaffected devices/data centers elsewhere.