We have all been there – struggling to remember which password we used for the account we are trying to log in to. Passwords and passphrases have been around for centuries, used in a variety of applications, from entering private clubs to accessing restricted military sites. Today, we use passwords to enter almost every software platform, from social media and banking through to delivery applications.
We are constantly instructed, by security professionals, to make our passwords longer and more complex, and impossible to guess, but how many of us follow these guidelines? Typically, people try to choose something they can easily remember, such as a phrase from their favourite book or song, or their pet’s name.
Unfortunately, there is an inherent flaw in this method – these passphrases are never secure.
Think about when you have to pick a four-letter password. There are approximately seven thousand four-letter words in the English dictionary, making it relatively easy for even a novice bad actor to guess which one you chose. Whereas if you were to pick four completely random letters instead of a word, you would have a choice of 456,976 possible password combinations.
Current estimates suggest there are around 300 billion passwords in use, and with approximately 7 billion people, this amounts to 43 passwords per person. That’s a lot for anyone to remember, especially if those passwords need to be random and unique. Can most people be bothered to have different random passwords?
Over 13 billion passwords have already been compromised and are available on the dark web for hackers to use. This makes their life much easier as they don’t require any sophisticated tools to log in to your account. What’s more concerning is that in the average organisation, approximately 50 passwords are persistent i.e., they never change and are constantly used by an application.
This means that a hacker doesn’t need to try and find a hard route into your system, because all they need to do is steal, guess or buy your password from the dark web.
Microsoft recently announced it will move to passwordless technologies. However, most of these systems simply mask the password, which can still be stolen and grant a hacker access. Every organisation that adopts these passwordless solutions should conduct technical due diligence to ensure that they aren’t simply purchasing a fancy sales pitch.
How can we really fix this issue?
The first step is to look at how humans authenticate other humans. We don’t use passwords. When you go on a call with someone, the first thing you do is check to see if the phone number they’re ringing on is the one associated with their name. If a friend were to phone you from a different number, you would be slightly suspicious.
Next, you try to recognise their voice and to ensure that it sounds like them. The third thing we do is try to understand their idiolect, their unique language, grammar, and slang. If they started speaking drastically differently, or their voice sounded off, suspicions would also start to grow.
When we look at this in a digital context, an authentication platform should consider a variety of risk vectors instead of just one.
The first vector to look at is the device that a user is attempting to gain entry from. Each device has a certain amount of uniqueness to it. Even if two devices have been made by the same company in the same warehouse, there are always slight differences from device to device – we call this entropy. Measuring this entropy helps us know which device is requesting access.
The second vector to look at is the identification and verification of the user accessing the device. This shouldn’t be done by passwords, but by the things we carry around with us all the time, such as our face, our fingerprint, or any other uniqueness. There are always going to be flaws in these methods of identifying an end-user, hence why we must weigh up the risks and accuracy of the technology, whilst constantly innovating to identify the characteristics of fraud e.g., deepfake traces.
If we do not trust the method of verifying the identity, we should always have a secondary option of verifying the identity e.g., if we get a result from the facial recognition identity platform that it’s only 75% sure the individual is who they say they are, and our threshold is 80%, we should push the user to authenticate through a different mechanism such as their thumbprint.
Thirdly, we should look at the behaviour of the user once they’re authenticated instead of just trusting the process. We should be asking ourselves:
- Is this user behaving in the way they normally do?
- Are they accessing information that they normally don’t access?
This is where AI and Machine Learning can really help, by monitoring user behaviour and ensuring it fits in with what we know the user normally does.
Lastly, we need to move away from persistent storage of user information to gain access to a system and instead move towards an ephemeral method of authentication. Whilst Cookies, for example, are generally not designed to steal information, hackers can use them to spy on the user or obtain the user’s login and password in some cases. If we move to an ephemeral, contextualised method of authentication, constantly weighing up risk not only from user to application but application to application, then we will have successfully moved to a true Zero-Trust architecture.
Although hackers will constantly innovate and look at how they can thwart our authentication mechanisms, we can at the very least get the basics right and stop them from just logging into systems.