According to a new report, tens of millions of people don’t have passcodes set on their Smartphones. The TransUnion® survey polled 1,263 consumers ages 18 and older about their experiences with and perceptions of cyber threats in anticipation of National Cyber Security Awareness Month in October. Despite increasing fear, nearly half of respondents don’t take common protective measures, such as locking their phone with a password (45 percent) and changing their passwords frequently (51 percent). Robert Capps, VP of business development at NuData Security commented below.
Robert Capps, VP of Business Development at NuData Security:
“The survey brings out some fascinating data, particularly that “despite the increasing fear, nearly 50 percent of the participants admit that they don’t take actions such as setting a password on their cell phones”, echoing the reality that, when it comes to mobile, convenience is king. Users do not want to have any friction between them and their device. Therefore, instead of continuing to be surprised by results like this, we should look for ways to meet the need for security in ways that don’t inject more friction.
The security industry, as a whole, typically is most comfortable requiring that customers conform to methodology. But, forcing users into a security paradigm is always going to be a risky proposition, especially in technological environments, where they will only want to interact with their devices in the ways they most prefer. Hackers and fraudsters benefit from this dynamic (at present) because it’s tilted in their favour. Single-point authentication methods, especially on mobile, unlock a wealth of vulnerable PII (personally identifiable information) that is a rich source of income for hackers when mined from phones and sold on the dark web. Until authentication methods no longer require this data, we can’t expect this economy to go away and the dynamic will continue.
Let’s imagine another scenario whereby authentication may require this data, but doesn’t rely solely upon it. Instead, identity verification is reliant upon a myriad of data points that form intricate web of complex, rich and real-time data that is impossible to spoof, mimic or replicate by nature of its interconnectivity and complexity. Friction dissolves in this scenario because the verification of the user is so accurate and ‘white-glove’ experiences can be offered to what we know to be the genuine human user.
So, while we might continue to bemoan user stubbornness in up-taking basic security protocols against their own best interests, we can start to see that users’ natural behaviour can be the basis of the security method. Analysing sessions in terms who how users are behaving, how they typically behave, how other humans behave in this context, offers non-invasive pathways to stunningly accurate identification.
We can stop enforcing security methodology and our tactical requirements on end users and start working with what they are offering — natural behaviour and the ability to discern who they are from it. Currently, many major online retailers and banks are beginning to utilise this powerful passive biometric model. We anticipate that while usernames and passwords will always have some relevance, it will become less and less relevant for user authentication and verification in the future to come.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.