Having a password is extremely important on the web today due to a number of hackers seeking to farm user information for sale on the black market. However, that doesn’t mean passwords are the safest option to protect our data.
Here to talk exclusively with Sanvada about passwords and why we should move away from them, is Marc Boroditsky, a security expert and SVP of Twilio. He is also the man behind the two-factor authentication startup, Authy, before it was acquired by Twilio in 2015.
Let’s dig in to see what Marc has to say.
S: What were the reasons behind the creation of Authy?
M: When Authy was founded in 2011, we were already well beyond the days when a password alone was a reliable security method. As SMS-capable mobile devices became more commonplace, the founders saw an opportunity to strengthen passwords with 2FA by sending one-time-passcodes via SMS and voice. For situations where mobile devices were offline, the free Authy authenticator app was created to generate the same one-time passcodes.
Authy was then acquired by Twilio, where they continued to develop leading authentication solutions under Twilio’s Account Security product area. The most recent being push authentication, which replaces SMS passcodes with a simple and easy “Accept” or “Deny” type response.
S: Let’s talk about passwords. If they are not the best way to secure an account online, then what is?
M: At this point, passwords are fundamentally better than nothing. The problem is almost every application ever built supports them. Users employing more complex passwords may make guessing and brute forcing passwords harder for attackers, but the all-too-frequent massive data breaches are flooding the cybercriminal marketplace with millions of passwords and usernames. Sure, people can just change their passwords, but studies show that users continue to employ weak passwords across several accounts.
Devices, not knowledge-based methods like passwords and security questions, are a more secure method of authentication. Two-factor authentication can effectively thwart an attacker even if that attacker has obtained your credentials because the authentication relies on possession of your actual device.
S: What are the best ways to stop online users from using easy to guess passwords? Strangely enough, people are still using ‘12345’ and ‘password’ to secure their accounts.
M: At this point, we really need to stop putting the burden on consumers to secure the services that businesses provide them. One of the primary reasons we have security fatigue and poor password hygiene among users is the sheer amount of digital services available to them. How many accounts do you have? Banking, healthcare, insurance, social media, gaming – it’s not difficult to imagine a user who has well over 100 different accounts. Now try to imagine using 100 different, complex passwords and thinking about how difficult it would be to remember them, and for which account. This is not a problem we’re going to solve completely with consumer security awareness and education.
Instead, every online service should be looking toward implementing stronger account security: 2FA, phone verification at sign-ups, push notifications for high-risk transactions, and ultimately, a password-less login. The day we move beyond knowledge-based security methods like passwords is the day the internet becomes a much safer place.
S: Is it possible for hackers to bypass two-step verification?
M: While 2FA is a massive increase in security over just a password, it’s still possible to defeat. What’s important to note is that 2FA is significantly more difficult to bypass, meaning 2FA users are less likely to be involved in massive, automated account takeovers because fraud bots can’t brute force 2FA, even if they get past the password.
Sometimes there are cases of high-profile, individual attacks where attackers are able to bypass 2FA through social engineering (re: impersonating the actual user) in customer service environments. But if that customer service agent were able to send a push notification to the user’s device to authenticate that conversation, they’d be able to stop almost every fraudulent attempt for password resets, SIM swapping or requests for personal information.
Stronger account security like push authentication puts the power back in the hands of the user, while making it easy for online services to prevent fraud. Think of high-profile individual attacks in last three years. Nearly every one of them could have been thwarted with a simple “approve / deny” push notification.
S: What about online password managers such as LastPass. Are these services safe for the end user?
M: Password managers are a treatment to a much greater disease, which is the proliferation of knowledge-based security methods (like passwords, security questions, etc.) across our online identities. They certainly help users handle the nightmare of managing hard to remember passwords across all of their accounts, but ultimately we need to just move away from passwords. Why? By 2020, researchers estimate that attackers will be able to break any password that could be conceivable memorized by a human in less than a day. It’s time to implement better account security.
S: Finally, what do you believe is the future of online security?
M: The future of account security is context. We’re talking contextual authentication based on a comprehensive list of factors and user behavior: time of login, wi-fi network, location, type of activity, type of device, type of browser, etc. Individually, any of these factors could be mimicked, but it’s significantly more difficult for an attacker to spoof the entirety of a digital identity.
Another source of context that we’re seeing more of is biometrics. Microsoft and Apple are implementing facial recognition to unlock devices, in addition to now widespread fingerprint authentication. The authentication of the future could take into account temperature, voice recognition, iris scanning or other biometric factors, but these should still be part of a greater contextual picture: each tiny piece of data gradually increasing confidence that the person is exactly who they say they are.