The alphanumeric password has been an integral part of people’s lives for a long time and is a key element in protecting access to sensitive information for many businesses and consumers. Over the years, as the number of passwords we have and their required complexity has grown, it has become impossible to remember multiple passwords to multiple identities online which presents a major security risk.
That password overload resulted in a 'weak password syndrome' where users simply chose passwords that were easy to remember. After the LinkedIn hack where 117 million user credentials were leaked, it was reported that the most popular passwords people were using were '123456' and 'linkedin', passwords that were easy to remember and just as easy to guess even without the sophisticated hacker tools.
Passwords will be a thing of the past
Multiple groups and industry associations have been working to eliminate passwords for many years. A recent Google announcement suggests that in the near future, passwords will be a thing of the past. Google aims to have Android users engage a combination of biometrics – both physical and behavioural – to replace passwords for authentication and access. The physical face and the behavioural typing patterns and how a user moves when using their device are the elements evaluated to grant access.
Biometrics have been around for quite a while – laptops with biometric fingerprint readers emerged as early as 2003 - but the technology didn’t appeal to the wider consumer audience until the introduction of Apple’s Touch ID. And while many industry professionals agree that biometric technology can assist as an attractive alternative to passwords, we should all understand biometrics simply cannot be a replacement for passwords by themselves – primarily because biometrics are not secret and they are not revocable. They are, however, good additional factors when used in a layered fashion that brings more assurance.
Another security measure for reducing our reliance on passwords is behavioural analytics. A proven technology in use by a variety of financial services organisations, behavioural analytics is different than behavioural biometrics. Behavioural analytics looks at a person’s history, activities and usage patterns versus how someone interacts with a device. They takes into account behavioural elements that are nearly impossible to replicate or copy, such as current and past transactions, location, device used, and historical fraud and breach data in order to evaluate risk. Using this analysis and data, authentication runs in the background with zero touch required from the user.
As the password battle rages on, solutions, standards and technologies will continue to emerge in an attempt to once and for all rid our lives of the sticky notes, password lists and password managers, which, despite encryption, present a vulnerability with all the eggs – or in this case passwords – in one basket.
Behavioural analytics is a giant leap forward in getting us closer to a password-free or at least password reduced and more secure existence.
Paul Ferron, Director of security solutions, EMEA at CA Technologies