Correctly, and safely, connecting humans to their various digital identities is an ongoing challenge for businesses. For banks today, verifying that it is really you trying to access your account is a greater challenge than ever before, as hackers and their techniques only continue to become more sophisticated. Combating this threat requires constant monitoring, maintenance and round-the-clock work from security teams. The same principle rings true for social media platforms like Facebook, online retailers like Amazon, medical portals like NHS Choices and so on.
Historically, we’ve been over-reliant on usernames and passwords as the primary means of making the link between people and their online identities. And today consumers are continuing to reuse passwords for all sorts of online activity – ranging from handling highly sensitive information, such as bank or medical records, to simply signing up for a newsletter. In fact, for five consecutive years (2012 – 2016) “password” ranked number one in SplashData’s annual Worst Passwords report. The latest version of the report (which collects data on the most over-used passwords) saw “password” debunked to second place by “123456”.
Data breaches are only continuing to grab headlines as they increase in both frequency and complexity – one recent Wonga breach alone saw 250,000 UK customers’ data stolen. Globally, the number of records exposed over the past 24 months is 2,889,920,099.
Perhaps as a result of this, around 20% of UK consumers have said they do not trust those companies storing and handling their data.
Yet, with so many breaches it’s clear that the username and password combination is no longer enough to protect our information online. Compounded by the fact that consumers are still tending to over-rely on weak passwords, questions about user awareness when it comes to online security persist. And, with most small businesses in the UK failing to implement cyber security risks policies or management, questions remain about the role of businesses in educating them/providing them with the tools they need to stay safe.
Any business handling sensitive user data needs to constantly evaluate their existing security and take proactive steps to be up to date on newer technologies and methods available to them – from vulnerability testing, increasing password criteria to running regular audits.
Perhaps the most reliable method for consumers to secure their data is through two-factor authentication (2FA), which typically involves a one-time passcode being sent via SMS to confirm your login.
2FA technology is continuing to advance, and push authentication has recently emerged as a much easier way for users to verify their identity when trying to access online accounts. It’s certainly promising to see that some of the most popular security packages for supporting 2FA have seen a 320% increase in downloads over the last 24 months. But there is still work to be done. A look at twofactorauth.org reveals only half of the 1,000 most popular websites that require users to log-in have any type of 2FA enabled.
Push authentication leverages the growing ubiquity of the smartphone. Push notifications are sent to devices and result in a user being presented with lots of information about the login taking place. Details of the application or website they are logging into, such as location of the requesting user, what account is being accessed and on what device.
Based on this, users need simply to “Accept” or “Deny” the request. As soon as the user clicks either button, the response is immediate – either logging in the legitimate user or preventing access to a hacker. Such 2FA techniques can be used not only for the initial log-in but other actions which require protection as well, such as a money transfer or a cryptocurrency withdrawal. With this level of security, should an account be compromised, highly sensitive transactions will still require authentication.
Giants like Google, Microsoft and Yahoo and more have already integrated this kind of service into the user experience. And, thanks to this uptake, there has already been improved interest in 2FA from the general population, with searches of the term “2FA” more than tripling in the last two years (According to Google Trends).
Having ownership of the device receiving these push notifications ensures that hackers now need more than your username and password, and this sentiment has clearly begun to resonate with users.
Awareness is improving
What these findings together highlight is the growing importance that users are placing on securing their accounts, and the growing pressure on businesses (and the developers supporting them) to meet this demand.
Progress is being made
Evidently, consumers are becoming more concerned about their security and are engaging with the solutions and tools being put out by businesses to help them stay safe. It’s clear that data breaches are not slowing down, which is leading developers and consumers to look to the open-source community for solutions.
While data breaches are likely to continue, tools like 2FA help businesses to empower their users to secure their data. The 2FA research highlighted here helps to illustrate that consumer buy-in when it comes to their online security is significantly increasing.
It’s promising to see that (via their developers) businesses are working hard to service this steadily increasing appetite for greater security measures. 2FA remains one of the best ways to protect online accounts against a takeover but it must go from a popular add-on to an essential part of the user experience.
If applications adopt modern methods such as push authentication, not only will it improve the user experience, but it would also incline developers to make 2FA mandatory – making the internet safer for all.
Simon Thorpe, Director of Product at Twilio
Image Credit: Toria / Shutterstock