5th May, 2016 is marked as the “World Password Day“. While, the addressing the concerns to password protection is critical, I find it amusing how age-old techniques and expert suggestions have never matured. It, further, surprises me how same repeatable things are projected to protect Passwords.
- Use combination of space, special characters, numbers, CAPITAL letters etc
- Password Length should be minimum x characters long
- Use a different password for each account
- Use a password manager
- Use Multifactor authentication
There are TWO BIG PROBLEMs to the above, which is more than enough to disrupt the adoption of security around logins:
User Convenience: Security has always been perceived as the bottleneck or hindrance to adoption of a technology or growth of product adoptions.
Sharing of Passwords: The most common practice – whether we are holidaying or we on the road, we share our passwords so that our colleague at office or a friend can do some of our tasks on our behalf.
So, let me address each one of the above suggestions enumerated earlier in the light of the user convenience:
- Combination of space, special characters, numbers, CAPITAL letters etc is the most vital which I feel though important, rarely get followed unless enforced by the login features. When such a strict policy is enforced, end users get irritated when not guided properly and tend to leave the registration process without looking back ever.
- Length of the password, though important, end users tend to use the minimum length that is necessary. If the websites do not enforce the functionality, the user cll into the same trap as choice of password with combination of characters.
- This is a killer because we have so many accounts in todays’ world right from office to personal, from banks to emails that it is just humanly not possible to remember them.
- Password manager, though efficient, tends to tie your memory to this tool, thereby, making end user handicapped of not being able to use the account from anywhere other than the device where the password manager.
- Finally, multi factor authentication: through good but the most prominent usage of form factor such as PIN or SMS or Email OTP suffers from “Man in the Mobile (MITMo)” Attack. We have demonstrated one such vulnerability live on a trillion dollar bank at 11th Middle East Retail Internet Banking Expo 2016 last month in Dubai. SIM cloning is rampant, thereby, making such popular mechanisms just to be so-called “security without any true security”.
The emergence of Social Logins is the result of above challenges and most importantly, user convenience but now what if social login is compromised.
So, whats the solution. First, firms whether startups or large firms have to start looking into security a multi-layered approach putting user convenience first and balancing it with security, so that “SECURITY is considered a BUSINESS ENABLER” and the approach should be:
- Layer 1 Entity User Behaviour Authentication (EUBA): Cognitive Fingerprinting using behavioural traits of the users is, fast becoming one of the most loved product. EUBA helps in understanding the behaviour of how you type your password without knowing the password itself. Based on machine learning and neural networks, EUBA can self adapts and self adjusts to the user logins in real-time. Completely transparent and non-intrusive, EUBA can help understand user login behaviours based on their pas history of logins. Traits such as how fast you type, how hard you press your keys, are you chopstick typing user or are you a left-handed or right-handed user can be captured on a real-time basis and can be used for knowing the user behaviours behind the logins. One might see the power of EUBA when a candidate submits his assignments at Coursera where the candidate is identified as the genuine user just by the way he types.
- Layer 2 Risk based Adaptive Authentication (RBAA): Yet another non-intrusive layer, RBAA can help understand the past history of logins of users with characteristics such as device preferences, software preferences, geolocation, velocity and many more and help firms decide dynamically the user environments and the reactionary action on the anomalies found on real-time basis.
- Layer 3: Contextual based True Identification for all channel authentication: PUSH based Out-of-band Authentication in combination with Biometrics authentication such as Fingerprint, Face, Voice or PINs should be the final layer of authentication as the action on the anatomies found from the above two layers. Contexts (end users exactly know what, who, when and from where the login is happening) based Multi-factor authentication is the key and not just plain OTPs in the form of SMS, Email or Hardware Tokens.
PASSWORDS are inevitable but what organisations should do is follow a multi-layered user convenient yet secure mechanism to mitigate risks around authentications while discouraging bad practices such as sharing of passwords and improving user experience such as no more worry about the “real password” as such.
So, lets come together to make PASSWORDS really safe yet user friendly. Let SECURITY become a BUSINESS ENABLER.
Disclaimer: I work for a security startup, Ezmcom, and we specialise and power the above three layers for 50+ large banks and 300+ Enterprises globally making the life of 60M+ users a little better.