We all thought the idea of “something you have, something you are and something you know” for our login data will be safer, but it is evident customer authentication factors have failed to hold down the fort. Even with all these factors, we are repeatedly asked to give; technology has failed to protect the consumer’s data.
– Passwords no longer protect
The use of passwords is slowly fading away. Protecting several accounts with passwords, together with the need to create complex secret words and change them every month or two is tedious.
Many users opt to recycle one password across various services. Last year’s report by TeleSign Consumer Account Security says 71% of accounts are secured by a single password used across many sites. Therefore, if a password is affected due to a data breach or phishing attack, Cybercrooks many take advantage of other accounts belonging to the same user.
Knowledge-based authentication (KBA) serves as a backup plan for passwords. TeleSign reported 56% of internet users consider KBA- also part of “something you know” as their preferred method of additional authentication. On the other hand, Gartner research found that consumers fail to give correct answers to their KBA questions 15–30% of the time, while cybercrooks respond to those questions correctly 60% of the time. Tricksters often source this data through phishing or from the social media.
– SMS Authentication is major setback
To accomplish the concept of “something you have,” experts designed use of physical tokens which create different one-time passwords (OTPs) every one minute.
This habit has also shifted to smartphones, where OTPs are sent as SMS/text messages. The danger with this practice is that fraudsters can use mobile malware to intercept these important messages and access them.
Surely we all should support the National Institute of Standard and Technology (NIST) in their motion to stop the use of SMS-based OTPs.
– Fingerprint scanning has been compromised
Fingerprint scanning or any other form of biometric authentication sounds cool and easy. After all, it’s the “something you have” part of the concept and looks safer than other authentication methods- or is it?
Fingerprint readers were well accepted until cybercriminals circumvented this great piece of innovation. Furthermore, if the process of biometrics enrollment isn’t properly secured, a trickster may register their fingerprints with a user’s password.
Is there a way out ?
Up-to-date technologies e.g. those that identify inconsistency in a consumer’s behavior, also known as behavioral biometrics can replace the use of passwords and assist organizations that offer accounts to virtually all types of businesses like EMB to avoid data breaches.
On the other hand, Cybercriminals won’t rest until they come up with behavior replay attacks or use other tricks to find their way around these security measures. Is there a more appropriate way to secure user identity rather than leave loopholes for crime?
Yes, there is, and the answer is not in the strategies we choose to use, but in how we use these ideas. Since fraudsters can provide proof of identity the same way a user can, we might want to use the approach of trusting without ignoring the aspect of verification. If we can find indicators of malicious intent for data submitted by criminals, then we can be safer!