World Password Day is this Thursday, May 2, but everyone knows the damage that weak passwords can cause. Why not use this day to talk about how other forms of authentication — like MFA, biometrics and behavioral analysis– can better protect consumers against fraud?
OneSpan recently commissioned a study of top financial institutions regarding passwords and other authentication practices. It found that:
– 96% of organizations still rely on legacy processes tied to usernames and passwords for authentication
– 44% are challenged by the use of legitimate credentials (exposed in data breaches) in account takeover attempts
-60% of respondents plan to invest in new multifactor authentication technologies in 2019, including those based on biometrics and AI/machine learning
Experts Comments:
Will LaSala, Director of Security Solutions, Security Evangelist at OneSpan:
“Passwords are the easiest form of keeping something private, but also one of the biggest challenges facing organizations, including financial institutions, when it comes to authenticating a user. Organizations do not need to remain beholden to usernames and passwords for authentication anymore as this is the equivalent of leaving the vault door open for fraudsters. The good news is that as fast as the threat environment is moving, there are lots of great technologies coming to bear that can help with better authentication and completely remove passwords from our daily lives.
For example, financial institutions today can look at situations and say, “This is an odd time for this person to do a transaction,” or “It’s an odd transaction.” The landscape for authentication has changed, and the number of data points have increased dramatically. These advancements in technology allow institutions to reduce false positives, identify fraud that they weren’t catching in real time and achieve those mutual goals.
Every transaction requires the same level of risk-based analysis. And that’s the promise of the latest innovations in adaptive authentication – that it will provide the precise level of security to the transaction at the right time. At a time when security controls have matured, and when artificial intelligence and machine learning are fueling a new era of effective analytics, banking and security leaders no longer need to choose between customer convenience and security. They can get both.”
Michael Magrath, Director of Global Standards & Regulations at OneSpan:
“The reality is World Password Day may become extinct in the next few years. Advancements in frictionless authentication technologies coupled with the global adoption of privacy regulations will very likely make passwords a thing of the past. In fact, a recent OneSpan survey revealed that more than 60 percent of respondents plan to invest in new multifactor authentication technologies in 2019, including those that rely on biometrics and AI/machine learning in an effort to overcome security issues face by financial institutions and their customers.
Unlike passwords, modern authentication technologies include “privacy by design” as the foundation. Standards-based authenticators including the FIDO Alliance balance usability with security while protecting privacy. FIDO’s specifications use public key cryptography enabling stronger authentication. When using a FIDO certified authentication, the user’s device creates a key pair. The private key remains secure in their device and registers the public key with the online service. Unlike passwords, no secrets are generated on the server side with user verification occurring locally at the authenticator whether that is a token smartphone or biometric. Moreover, unlike big databases, biometric data, if used, such as fingerprints or facial recognition never leave the device. Adoption of strong authentication is expected to become widely adopted at the consumer level, with WebAuthn, an official web standard, currently supported in Windows 10 and Android platforms, and Chrome, Edge, Firefox, with Safari expected to support it in the near future.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.