Could Coronavirus, and the onslaught of cyber attacks and threats targeting displaced workforces, be the inflection point that finally pushes us towards adopting secure and private authentication technology?
When it comes to remote-work security, passwords are doing more harm than good. In the last week alone, remote workers attempting to access San Francisco Airport’s systems remotely had their credentials compromised, after the airports websites were hacked; and the usernames and passwords of half a million Zoom users, who had their accounts hacked last month, went up for sale on the dark web this week.
Earlier in the year — pre-Coronavirus — Marriott Hotels suffered a massive privacy breach, where the records of 5.6 million guests were exposed after just two employees had their passwords compromised.
These examples highlight two things: how vulnerable corporate systems and databases are when they are protected by passwords, and how attractive companies become to criminals when they store user login credentials in their databases.
Yet despite passwords inviting a range of cyber threats, dismantling password authentication systems has been largely avoided. Rather than overhauling how we authenticate, Band-Aid security solutions that aim to bolster passwords have been the go-to.
Solutions like password managers fail to adequately protect against threats because hackers know that maintaining password hygiene has become too much of a challenge for the average user. The vast majority of people ignore password best practices; whether by recycling their passwords across multiple accounts, or choosing weak passwords.
To make matters worse, it’s easy for hackers to get their hands on stolen passwords — the going rate for a set of compromised credentials is less than a dollar on the dark web. Once a hacker has a single set of login credentials, they can use those to crack passwords to other accounts.
Because of this, just one stolen password should be treated for what it is — a major security threat. The famous computer security expert, Window Snyder, put it best when she said: ‘one single vulnerability is all an attacker needs’.
It’s likely that Coronavirus-related attacks will continue to highlight how weak passwords are, hopefully driving us to adopt smarter authentication technologies that don’t put us at unnecessary risk.
Biometrics have come a long way in the past decade, and are now at the point where they are secure enough to completely replace passwords. Unlike passwords, a user’s unique biometrics and characteristics can’t be guessed or cracked.
Advances in machine learning, including deep learning, have substantially boosted the security and reliability of facial recognition systems, which have enabled new research directions in novel authentication modalities, like behavioral biometrics; where users are authenticated by how they interact with smartphones and desktops rather than via their physical characteristics.
These authentication techniques allow us to authenticate users based on how they interact with their devices, rather than via their physical characteristics. They don’t require user attention and can, therefore, be used for continuous authentication. With continuous authentication, the user’s device continuously monitors the user (by processing keystrokes or smartphone movements in the background) and makes frequent authentication decisions based on this data.
New authentication protocols that combine these advancements with emerging privacy-preserving technologies, such as secure multi-party computation and zero-knowledge cryptography, allow for biometric data to be stored securely.
As with all emerging technology, despite its readiness and potential, widespread adoption can be slow; but unprecedented events can also often lead to decisive action.
Coronavirus lockdowns and the subsequent cyber threats are the most significant disruption to work-place security in modern history. They may also, however, have a silver lining; they could help usher us into a new era of online security and privacy.
If the Coronavirus pandemic lockdowns force us to replace passwords with something far more secure — like our own unique digital DNA — then it wouldn’t have been for nothing.
Once we make the inevitable decision to switch to biometric authentication, we will significantly improve security and privacy — effectively putting a permanent stop to a vast majority of cyber threats.
This is a repost of an Article written by Paolo Gasti — Chief Technology Officer at Keyless Technologies featured in Infosecurity Magazine