A new year for modern account security

In 2016, a number of high profile security breaches at companies including TalkTalk, Three mobile and Yahoo highlighted the ever-present and growing threat to the security of billions of online customer accounts. It seems as though breaches compromising the sensitive details of hundreds of millions of users have become a common occurrence in recent years. 

Part of the problem is that the industry still seems to rely on password selection to protect account information, expecting users to select complex, unique passwords for each account they own, and to change these passwords on a regular basis. The problem with this is that vast numbers of consumers tend to reuse old passwords or choose weak ones, in spite of the risk this poses; “123456” and “password” have topped SplashData’s annual “Worst Password” report as the most commonly used passwords for five years in a row. 

This year, more innovative companies will put serious consideration into adding an extra layer of security to protect their customer accounts by leveraging technologies like two-factor authentication (2FA).  For a while now, security commentators and experts have been aware that usernames and passwords alone aren’t enough to protect users. The industry is starting to understand just how important added security has become, in particular how important 2FA can be. With the help of cloud communication platforms, companies can easily incorporate an extra layer of security (2FA) into the user experience. 

2FA improves account security by requiring customers to provide a code that is transmitted to their own device. In most cases, a mobile device is a far more secure form of authentication compared to using say, your place of birth. However, despite the better security offered by 2FA you need only pay a visit to TwoFactorAuth.org to see how many businesses have yet to introduce a second tier of authentication. 

The end of the password?

Last year, new forms of push authentication were introduced into the services of a number of popular and high profile consumer websites. Google, Microsoft, and even online gaming giant, Blizzard, are implementing “password-less” experiences, powered by push.  

Although this development is fantastic news for the user, it doesn’t present an obvious adoption strategy for businesses that are looking to introduce similar security measures, because each of these solutions aim to serve a specific community alone.  

Fortunately, we live in an age of readily available, flexible building blocks for software development that can scale and keep up with growing customer demands and changing business requirements. APIs continue to innovate, altering previously static industries like communications and payments. 

What’s more, companies like live-streaming service Twitch and virtualisation leader VMware understand the importance of securing user accounts -  that’s why they looked to cloud-driven, reliable two-factor authentication layers to further protect their communities.

Moving from SMS to push notification

As a Microsoft study attests, adding new steps in the log-in process can be risky for businesses as security fatigue can occur, frustrating the user to the extent that they may even decide to stop using their account. To this end, businesses have traditionally shied away from clunkier – though stronger – security. The research conducted by Microsoft found no substitute security method more easy to use, or implement, than passwords. They wrote, ‘Marginal gains are often not sufficient … to overcome significant transition costs’, concluding that the ‘funeral procession for passwords’ is likely still years away. 

Whilst there is no reason to avoid SMS verification in low-risk communications (for example: a text to let you know that your taxi has arrived), this type of communication, which is by default unencrypted, remains less well suited to high-risk communications. Luckily, the security industry is always trying to devise strong security measures that consumers will actually want, and be willing, to use. In the past year and a half, a new form of 2FA has appeared, which is based on a technology that we familiar and comfortable: push notifications.

Unlike SMS, push notifications can start a chain of end-to-end encrypted communications between the app and a secured authentication service, thus providing “Push authentication” which is then transmitted to your device over the internet. Simply replying to the push triggers secure software that then presents an intended message to the device owner. But instead of just being able transmit a numerical code in the form of random numbers, push notifications can include context in an authentication request. For example, receiving a message stating; “An attempt to sign in to your account has been detected in Lapland. Is this you?” 

Reactive fraud alerts only notify the victim to the illicit action, but a push notification gives the user the power to respond immediately and even prevent the attack from taking place. Most businesses should be considering utilising push notification in cloud based authentication scenarios because of the added levels of security and versatility that goes with this. Push is familiar and easy, and the technology is mature and reliable. 

In your migration to agile, cloud-based development this year, it is essential that you don’t leave the safety of your customers behind. Instead put serious consideration in strengthening your security capabilities by implementing two form authentication functionality, which will allow you to delight customers with a seamless and secure.

Marc Boroditsky, VP & GM of Authentication, Twilio
Image Credit: ESB Professional / Shutterstock