When you think about user authentication, you most likely think about putting in a username and password into a field on a website - like the login fields you have to fill out each time you want to check the balance of your bank account. A username and a password are a very common method of user authentication, to the point where some people can recite their (unsurprisingly long) list of usernames and passwords to websites they access on a regular basis. While a username and a password are a quick and easy way to confirm that a person is precisely who they say they are, is it the best solution in a day and age where so much precious information about an individual is stored online? Are we staying ahead of the game with our practices in user authentication?
In Whom Do You Trust?
In the days of yore, an equivalent of a solid username and password was a satisfactory way to secure information and to identify oneself. To put things in today’s context, we place much more trust in faceless websites than before - some might say that we trust them entirely too much. We trust them to not only store our most precious information, but to keep it safe behind security that we do not always see or fully understand. We trust our financial institutions to keep our money safe, our insurance companies to keep our records safe, online retailers to keep our credit information safe - almost all of the time, we simply trust a simple form of user authentication, a few random characters or a phrase, to keep all of this information safe.
Think of technology as a snake. As a snake grows, it sheds its skin and grows a newer, thicker skin to take its place. Technology has grown exponentially over the past two decades, shedding its skin countless times to make way for newer, better innovations. Yet still we rely on yesterday’s authentication methods to keep us safe.
Evil Never Sleeps
While the average user is lagging behind in security - you can bet the hackers sure aren’t. Check the headlines every once in a while, and you are almost guaranteed to see updates of a major company that has just suffered a data breached. Companies are lagging so far behind in security, in fact, that back in 2005, the Federal Financial Institutions Examination Council concluded that just using username and passwords was inadequate for “transactions involving access to customer information or the movement of funds to other parties.” Yet over a decade since this warning was published, very little impactful action has been taken by these companies.
You may think that I’m implying the need for a total revamp of the way we handle user authentication. This is not the case. Rather, we should be building on top of our existing infrastructure to make it that much more secure.
A good step that some companies have taken towards enhancing user authentication is the implementation of Two-Factor Authentication (2FA). Despite popular belief, 2FA isn’t necessarily out to replace the password. Rather, it builds on top of it by adding an extra step in the user authentication process. While we might not notice it, we see 2FA in action in lots of places.
Looking for a real world example? Swipe your credit card. You provide a physical proof of ownership (the card), and most places either ask to see I.D. or your ZIP code (step 2). If your card has a Chip in it - which all cards and retailers should be set up for by January 1st, 2016) that is also an example of 2FA - the chip creates a One-time Password (OtP) to protect your identity from POS skimmers and other malware.
2FA is a good addition to the username and password. However, it isn’t without it’s flaws. Similar to how real-world diseases can become immune to antibiotics, over time, 2FA will slowly become less and less effective in staving off malicious folk.
The Next Level of User Authentication
So where do we go from here? The good news is this: as technology advances, so do the ways through which we protect ourselves online. Up and coming user authentication methods include things like biometric authentication, which takes a specific characteristic unique to the individual, like a fingerprint or the blood vessel pattern in a retina, and uses that to secure our information.
Also becoming more widely available are tools like Google Authenticator, which generates an OtP that users must provide in addition to a username and password. The tools that we need in order to protect our information online are becoming available, yet the question still remains: how long will it be until these new methods become commonplace? In my opinion, the individual should be playing a bigger role in demanding that companies/websites implement stronger security practices. Many people think they are still secure behind a password alone (on a side note, the most common password are… 'password' and '123456' so please change yours). Then again, people also don’t want to be inconvenienced by having an extra step in the user authentication process, like we typically see with 2FA.
This needs to change.
Simple Steps to Increase Security
Here are just a few things that we can do to help protect our information:
- Use a different password for each account. Many people use the same password for everything. If that password is
compromised, it’s game over.
- Change your passwords regularly. Some sites require a password change every month, six months, etc. Even if it’s not required, it’s a good habit to get into. You may not know if your password is compromised, but if you change it frequently, even a stolen password cannot be used against you.
- Use non-standard answers for security questions. For example, if a question is “What was your childhood pet’s name.”, instead of putting “Fido”, consider putting “Gary Busey”.
- If sites offer the use of tools like Google Authenticator, take advantage of it. It’s a free app that generates a one time password that only you have access too. Ask yourself: is it really that inconvenient for the added security?
Here’s the final takeaway: user authentication can only right higher bounds from here on out, with our information being protected by means that only a science fiction author would have thought of thirty years ago. That being said, if we keep using yesterday’s authentication methods, tomorrow's innovations will amount to nothing. So, let’s get futuristic, let our retinas and fingerprints do the verification instead of “password1234”.
What are your thoughts on User Authentication? We would love to hear from you in the comments below, or subscribe to one of our other channels to keep up on everything related to Digital Security and Authentication!