Q&A: Why 2FA and biometrics are now security necessities

The recent rise in cybercrime has resulted in the realisation from businesses that passwords are no longer enough, especially now that confidential business data is frequently being accessed on employees' personal devices.

So, are practices such as two-factor authentication and biometric security the only way forward? We spoke to Steve Watts, co-founder of SecurEnvoy, to find out.

  1. Let’s starts with the big question: Why are passwords no longer enough to protect against hackers.

What has become very clear is that the retention of passwords is very difficult. We all try to have three to four different passwords that we use across multiple sites. The key thing to remember with passwords is that no matter how complicated people make them, they do not offer a safeguard if they are compromised.

It doesn’t matter what formula you have to create one, if you’re being compromised, there’s nothing you can do. For example, there are many hackers out there that can cache passwords as they are being typed into a system. People forget that it doesn’t matter if a password couldn’t be guessed, regardless if it is a 4-digit pin or a 22 character combination, if the system is compromised, then accounts are no longer protected.

The key difference with two-factor authentication is that it offers one time passcodes (OTPs) that cannot be reused if hackers get hold of them. We also work on a zero knowledge basis, where both the user and the security provider does not know the specific code before it is used.

  1. In today's security landscape, is two-factor authentication the only viable way forward for businesses?

Yes it is, because not only is it more secure – it is also more convenient. Now is the time to give staff the Apple Pay experience in the business realm, giving staff enterprise authentication via two factor authentication (2FA). 2FA requires not only a password and username but an additional component which could be something that the user knows, something that the user possesses or something that is inseparable from the user. It is now incredibly popular and has become the system favoured by seven of the ten largest social networking sites (including Facebook, Twitter and LinkedIn) as their authentication method of choice.

We’ve made the 2FA experience so much more convenient for users than using passwords. For example, mobile applications can utilise NFC to securely transfer all the information required to enable a browser to start up, connect to the required URL, and then automatically enter the user id, password and second factor passcode in one seamless logon. This technology can be used for any back end solution that needs to verify a user, whether it be at initial logon or at the point of verifying a transaction. Effectively, any time an application needs to positively prove the end user is who they say they are, this technology can be invoked.

Innovation is the most important way to stay ahead of cybercriminals. It has always been a battle between the security innovator and the hacker. Using NFC technology, logging in with stronger two factor security is actually easier than entering a password and will therefore become more popular with users who always want the easiest possible solution. This innovation will lead to the death of the password whilst increasing the lead of the security provider over the hacker.

  1. Do you see biometrics playing a key role in the future?

As long as biometric technology evolves, improves and is proven to be reliable, then it will play a key role in the future. The technology needs to show that it is recognising the user, and is 100 per cent accurate.

Until recently, most mainstream examples of biometric recognition as an authentication method have been based on fingerprint, palm, iris, facial or voice recognition. However, biometrics is now being taken a step further, with some financial institutions trialling using a person’s walking gait to identify them and offer them relevant services as they walk into the branch.

The organic and digital worlds have been further ineradicably linked since the launch of the Apple Watch, which turns itself off when you remove it from your wrist due to it not being able to read your heartbeat. There have also been several trials recently with NFC enabled chips being implanted under the skin so that a simple swipe of the hand can be used for anything from contactless payments to checking into an airport lounge.

It must be stressed that solutions need to be secure and accessible to users all of the time. People cannot be compromised when trying to log in to their systems – whether that’s at work or at home.

  1. How important is it to get the balance right between security and convenience?

It is crucial to get the balance right when keeping vital corporate information secure. There are many solutions available that will claim to be convenient, but do not offer the same security as 2FA.

It’s important to keep people advised about how they can keep data secure, and they are starting to learn more through improving technology – such as smartphone finger print scanners and access to their personal bank accounts.

When we compare the convenience of the combination of usernames and passwords, and biometric or 2FA methods, the latter is the clear winner. We are constantly told that users are the weakest link in corporate security. Yet with 2FA becoming as ubiquitous as taking a selfie is for the modern masses, the information security technology being seen by many as the holy grail of authentication could be the one that is literally already at the users’ fingertips.

  1. What advice would you offer to businesses still struggling to get to grips with device security?

I’d certainly advise businesses to empower their staff when it comes to corporate security and authentication. Never before have we seen a generation of workers so tech-saturated, yet many organisations are failing to take advantage of this valuable resource, namely by using their employee’s own devices as authentication tools to connect – securely – to their business data whilst on the move.

Of course, there are a host of security processes that need to be factored into any corporate system, but businesses can reduce the strain on IT departments by adopting solutions that give staff more control. It makes sense to put employees in control in a world where almost everyone possesses a mobile device. By empowering staff to protect their endpoints, giving them the ability to authenticate their way on their own phone or tablets, IT departments can save valuable time and resources.

I’d also advise businesses to communicate with vendors about what the best security solutions are. Value partners have a wealth of knowledge and experience and are ideally positioned to support the business and offer sound advice. The resellers listen to their customers too, so they quickly understand which solutions are well tested and secure.

Corporate security cannot be compromised, so businesses need to as much guidance as possible when deciding how it will be protected.

Image source: Shutterstock/Carlos Amarillo