How to stay safe online remains a catch-22. Every 39 seconds, a hacker strikes, contributing to the dark web’s current catalogue of 15 billion stolen user credentials for sale. With every purchase, more e-users fall victim to identity theft. Multi-step security features, such as biometric and out-of-band voice authentication, are common tactics to strengthen online security.
However, more security factors don’t quite correspond to having more security. Think of authentication as identification checkpoints – walking through TSA, if you will. Authentication methods simply add rigor to your sign-in process. By no means do authentication methods further encrypt your data.
While it’s unarguable that authentication methods minimize a user’s risk of identity theft, it’s also unarguable they come with a fleet of flaws. 81% of security incidents were tied to stolen or weak passwords in 2018. To paint a numerical visual, there were 157,525 security incidents (and 3,950 confirmed data breaches) in 2019 alone. For that reason and many more, it’s time for a better approach to authentication. Already universally trusted, asymmetric cryptography has a solution.
Common Authentication Methods For Security & Convenience
Customarily, tech users are provided the following authentication feature options:
- passwords and security questions,
- out-of-band voice,
- time-based, one-time passwords, and
Still, not all authentication is equal. Specifically, passwords and security questions are very weak – but you already knew that. In 2014, Bill Gates predicted, “There is no doubt that over time, people are going to rely less and less on passwords.”
Perhaps the reliance on “shared secrets” is the reason the tech economy is turning away from passwords and security questions today. Shared secrets are only known by the user and are stored by the service provider. However, shared secrets leave users stuck and make the responsibility for protecting and remembering multiple passwords a nightmare.
Out-of-band voice is a stronger approach, but not by much. This technique confirms the user’s identity by calling the phone number registered to the account. Out-of-band voice is weak for countless reasons – primarily because it requires users to have a second device and be available to answer a call (i.e. active phone service, appropriate environment). However, the answered call cannot correlate to effective authentication. Voice calls are easily intercepted by – or redirected to – hackers.
Moving up the authentication, time-based, one-time passwords provided medium security. This works exactly how it sounds: a one-time code is sent to the user via text, push notification, or email. This provides sufficient security – enough to present hackers with obstacles – but is still vulnerable to SIM hijacking, malware, and notification flooding attacks.
Atop all is biometric security, providing strong security and being extremely hard to fake. The biggest con to biometric security is its technology often has issues with false positives. For example, holding facial recognition software up to a sleeping user, or using a twin to fool the system. Apart from that, biometric security is immensely durable.
In fact, it rids the need for password remembrance and extra steps for users. However if compromised, people can’t simply change their fingerprints or face – making it a high-value target for attack. Note: biometrics are only secure if data is stored locally and protected by TMP/Enclave.
What Is Two-Step Authentication & Is It Strong?
Two-step authentication is a legendary cyberterm that has grown recognizable to household users. Requiring two or more authentication methods to log in, its strength of security depends on the weakest factor used. Most commonly, users pair passwords and a one-time code to create two-step authentication; but remember, neither passwords or one-time codes are strong authentication methods. Saying this, the strength of two-step authentication is variably undeemable, which creates unpredictable hacking outcomes.
Here’s an example:
In July 2020, hackers took over the verified Twitter accounts of several entrepreneurial, celebrity and business figures across the globe. Targets included: Barack Obama, Joe Biden, Warren Buffet, Elon Musk, Jeff Bezos, and even Michael Bloomberg. On their accounts, the hackers began suggesting followers to send them bitcoin, offering to double the value sent if they did so.
The tweet from Elon Musk’s account read, “I’m feeling generous because of Covid-19. I’ll double any BIC payment sent to my BIC address for the next hour. Good luck, and stay safe out there!” In the investigation, it was found that many of the compromised accounts used multi-factor authentication; however, hackers were unable to obtain the one-time codes sent out.
Again, more authentication doesn’t mean more security. In fact, multi-factor authentication creates more headaches for users, causing them to quickly act before one-time codes expire, jump between devices, and remember various passwords. On top of that, SMS authentication codes are encrypted and can be easily intercepted, and encrypted instant messaging apps may send to multiple devices at once.
As predicted by Bill Gates, asymmetric cryptographic (leveraged by certificates) is ending the need for passwords. This way, we can have immensely secure authentication that is easier and more convenient for everyone to use. Do you know how asymmetric cryptography works? How well are your accounts secured?
Please include attribution to https://www.beyondidentity.com with this graphic.