Security beyond a Password

When we talk security in IT, one of the biggest areas of risk lies in the password.  Ever smarter cyber criminals, armed with advanced technologies mean both big business and small business alike are looking beyond the password as the gatekeeper to IT infrastructure.

This trend grows as a password alone is no longer enough to prevent criminals from getting your information. Add to this the fact that due to having so many passwords users often duplicate the same password across multiple log-ins and your IT infrastructure looks even more exposed.

So what does the future look like? An eyeball scanner attached to every device? Close, but not exactly (yet).

Two-factor Authentication

The largest current trend for additional password security is the utilisation of two-factor authentication. That is, when logging in, the user is also required to use a secondary device to confirm they are indeed who they claim to be.

A simple two-factor authentication process is already in existence across many businesses, such as eBay, Google, Facebook etc. When a user attempts to login the respective businesses sends a one-time use code to a mobile to be entered along with the password. The use of several devices requires a cyber theft to obtain the secondary device to get access. This physical barrier makes it much harder for the criminal to access the account.

It should be noted that two-factor authentication is not just restricted to entering a one-time use code. Additional secondary factors could include anything from sending a text message to the use of any biometric technologies.

Biometric Technologies

Rather than requiring the memorisation of a complex series of letters numbers and special characters, biometrics is simply a part of you that may or may not be unique.

These characteristics could include a finger print, DNA, the use of facial recognition, voice or even your heart beat. This simple approach reduces the frustration you may have experienced before by removing the need to remember a password altogether.

These are not without their own inherent risks however. Biometric technologies are still able to produce false negatives or positives. And most can even be obtained, such as DNA, or a finger print which a person will leave on many surfaces throughout a day.
So even though these technologies seem quite advanced, they should only be used in turn with a secondary authentication method.

Physical Security Tokens

Like biometric technologies, the use of physical tokens removes the necessity to remember a password. Instead they run off a physical key you have on your person. The use of pay pass is a good example of this – your bank card of choice acts as the key itself and removes the need for you to memorize a pin.

This can also be observed with your smartphone and a wide variety of app as that utilise this methodology for authentication. A key can be generated and transmitted via your phone, effectively using the smartphone as the physical key.

Another example is the use of USB keys. Workers login using a username and password and use their personal USB for secondary authentication.

Risk based authentication

Of course, armed with someone’s password it can be very easy to get access to their account. As we mentioned, many people use the same password across different accounts – from Facebook to Spotify to their work account. That means that if a cyber criminal accesses a poorly protected site, and the user uses the same password across all of their logins – then the criminal can readily follow the user across the internet and potentially identify their work login and break in.

This is where risk based authentication is handy. Risk based authentication applies limits and protections on the type of information a user can access, under a variety of conditions.

For example, if you generally work on site between 9:00am to 5:00pm on a local computer, the chance of a cyber criminal breaking in to your office and accessing your personal computer AND guessing your password is quite low.

However, if someone tried to remotely access your login from a city on the other side of the country at 2:00am on an unknown device then the chance is it is not you. Risk based authentication could be setup to deny login or require additional authentication.

These are a secondary precaution taken to check that the login attempt was executed by you. Outside of your control they are enforced by the provider you’re with. These will include the location of a login, the timing, what device it is on and the sensitivity of the data trying to be accessed. These are then measured against predicated values for you and a risk of access is decided.

So, no eye scanner, Yet.

As with most technologies it is a matter of being vigilant, but also staying ahead of the bad guys. Simple things like using unique, strong passwords are still best practice. However, there are a growing number of options that make it exponentially harder for the bad guys to steal your IT data.