Brett McDowell is the executive director of the FIDO Alliance, the nonprofit industry association creating standards for stronger, simpler authentication.
Did you just get a notification from another Fortune 500 company asking you to change all of your passwords? If not, you will soon enough.
It’s almost fashionable to become the victim of a data breach these days, or at least you’d think so, given the who’s-who list of companies announcing them. Earlier this month, 32 million Twitter (TWTR) passwords went on the market. And just days before that, password stores harvested from previous security breaches at LinkedIn (LNKD), Myspace, Tumblr, and Fling were posted for sale online, leaving 642 million accounts compromised. Add these to the 1 billion-plus passwords already out there on the black market and the fact that people tend to use the same, simple passwords across the web, and it’s official: We don’t just have a password problem—we have a password crisis.
With this latest leak of passwords stolen from LinkedIn, even Mark Zuckerberg was found to be using a very simple password—“dadada”—across at least two different web applications, and chose not to enable strong authentication when it was available at these sites.
The conventional wisdom for how to stay safe online is widely cited and relatively sound: 1) use a different, complex password at each of your online accounts; 2) enable strong authentication (often called “two-factor authentication” or “two-step verification”) where it’s available, and 3) don’t be afraid of using a modern password manager if it helps you achieve No. 1.
So why is it, when we have all been told over and over again exactly how to make ourselves safer online, that even Internet industry leaders choose not to do so? The answer is simple: They don’t like the user experience.
Realistically, most of the general population is just like Zuckerberg. It is difficult and frustrating to remember a different, complex password for every single online account—early studies suggest the average web user has at least 25 accounts. So they revert to the easy-to-remember passwords: “123456” is a popular one; “password” is another.
Most users aren’t opting in to use strong authentication either, which is typically a one-time passcode (OTP) sent to a mobile device. This is because the outdated definition of strong authentication is predicated on the idea of adding an extra step to the process. This just slows users down and creates what e-commerce refers to as “friction” in the user experience.
In short, users don’t love the experience of following today’s recommendations for strong authentication, and that is why we have not—and will not—see widespread adoption of strong authentication unless companies address the user experience in a fundamentally better way.
The security needs to be improved, too. Both the password and OTP systems of authentication are inherently vulnerable to many forms of inexpensive, scalable attack because their very nature requires both the user and the web service to know the password or passcode (also called a “shared secret”).
In the case of passwords, this shared information is put into long-term storage on servers where it remains vulnerable to a data breach even years after the user forgot he or she even had an account there. In the case of OTP systems, where the passcode expires quickly, users are still vulnerable to social engineering attacks where the user is tricked into giving away his or her OTP before it expires, hence the troubling statistic that 63% of all data breaches involve the use of stolen, weak, or default passwords.
To really solve the password crisis, online service providers need to do two things now: improve the user experience of strong authentication by making it easier to use, and design the technology so the authentication “secrets” are never shared or stored on servers.
To solve the usability problem, many organizations are looking at options like biometrics, wearables, and security tokens as solutions that are even easier than typing “dadada.” Biometrics, in particular, are becoming a trend to improve the authentication user experience, especially with many banks rolling out biometric authentication. The trend is due, at least in part, to the fact that an increasingly large majority of mobile devices are shipped with biometric capabilities like fingerprint scanners and facial recognition built right in. Applications that take advantage of these new capabilities are able to offer users something truly novel: a strong authentication experience they actually want to use.
To address the security problem, manufacturers are increasingly shipping devices with new authentication technology that enables secure, on-device storage of sensitive user data such as biometric templates and application credentials. With user credentials stored on the user’s device and not on servers, the threat of re-used credentials harvested from someone else’s data breach goes away. In order to attack and gain access, the cybercriminal must attack the user’s personal device. In most cases, an attacker would have to gain physical possession of a user’s device to even attempt an exploit. These types of attacks are not scalable or profitable for cybercriminals.
If the whole web ecosystem stops storing user credentials and biometric data on servers and moves to an on-device model for strong authentication, it will dramatically change the game for cybercriminals by eliminating their ability to perform scalable attacks on account credentials as a means of perpetrating fraud.
