Have you noticed how quickly the story of the Russian hackers and the billion stolen passwords has quieted down? I’ve spoken to a couple of security experts who admitted to being skeptical, and I read a few articles that raise a lot of unanswered questions about this attack and how it played out.
Whatever the truth is, this much I do know: Passwords, user names, and other personally identifiable information have been gathered by cybercriminals. Just look at the results of the SafeNet Breach Level Index, which found that nearly two million customer records were breached every day during the second quarter of 2014. As I said after the news of the Russian hackers was released, there is a good chance that almost every user name and password has been breached already.
The news does serve as a pretty good reminder that we need to take a closer look at passwords as a security tool, first and foremost. But has the time finally come when we have to rethink authentication methods?
Yes, writes David Britton, VP of Industry Solutions, 41st Parameter, in an Experian blog post:
Any business that functions in a web connected environment that has a need to recognize new or returning consumers must look beyond the simple credentials that have been provided by the user such as usernames, passwords, email addresses, phone numbers, handles, secret questions or secret answers. To increase assurance businesses need to start looking at authenticating users through their devices that are being used to present those credentials.
Britton added that he thinks the time has come to move to a layered authentication system that will include real-time updates from consumers. I like his thoughts on a layered approach. When I talk about moving to a better authentication process, I think we have to move beyond the standard two-factor, which almost always includes a password first and then something like a text message or a token or the security questions. But two-factor is hardly foolproof, as a CNET article pointed out:
It's true that two-factor authentication is not impervious to hackers. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA revealed that its SecurID authentication tokens had been hacked.
Added layers and more than two factors make sense, but at the same time, that makes logging onto a site cumbersome. Consumers do not like being inconvenienced. Christopher Martincavage, senior sales engineer with SilverSky, suggested a relatively easy logon layer: third-party logons. He said to me in an email:
We have all seen the sites that state “login using your Facebook account.” By leveraging a third-party authentication site like Facebook (which uses OAuth), you could limit your user account footprint since your username and password become tokenized and will only work from the original site that it synchronized with. After all, would you rather trust facebook.com or bobswidgetcompany.com (hope that’s not a real site) to securely store your username and password? In addition, sites like Facebook and Google also offer free two-factor authentication.
What do you think? Would you consider adding this as an authentication layer to log on to your business site?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba