News of various prolific cyber-breaches have plagued the headlines over the last few years. From Three mobile and Sage to Tesco bank and Yahoo, breaches compromising the sensitive details of users have become commonplace. The issue isn't just that hackers are getting more sophisticated (they are, but that's a different story), it's that the human element is usually the weakest part of any security system. And yet many companies still rely on their customers' password selection to protect their account information.
Regardless of whether or not a consumer has adopted a strong, long and complicated password to protect their account, if a company they are signed up to suffers a data breach, they are at risk. Last year, 65 million Tumblr account details were found to be up for sale on the darknet. And according to a recent report by Verizon, 63 percent of data breaches last year were the result of weak or stolen passwords. Evidently this method of verification isn't one which can be relied on to protect our digital assets.
Businesses are now in a position where they need to put serious consideration into adding an extra layer of security to protect their customer and employee accounts. However, adding new steps into the login process can be risky for businesses as security fatigue can occur, frustrating the user. However, there are still other options that can be looked at that help reduce the risks customers can face without making the process too tedious.
One of the best options for businesses is adopting two-factor authentication (2FA) technology to secure customer accounts. 2FA is now widely accepted as a more secure form of authentication, and with the help of cloud communication platforms, companies can improve account security by requiring customers to provide a code that is transmitted to their own mobile device. In most cases, 2FA is a far stronger form of user authentication compared to using methods like security questions, such as your place of birth or the school you attended.
While there is no reason to avoid SMS verification in low-risk communications (for example: a text to let you know that your taxi has arrived), this type of communication, which is by default unencrypted, remains less well suited to high-risk communications. Luckily, the security industry is always trying to devise strong security measures that consumers will actually want, and be willing, to use. In the past year and a half, a new form of 2FA has appeared, which is based on a technology that we are familiar and comfortable with: push notifications.
Push notifications utilise end-to-end encrypted communications between the application and a secured authentication service. Any notification sent in this manner is “pushed” to your device over the internet and replying to this push will set off secure software which will present your message to the device owner. What is unique about this form of communication is that, unlike with SMS verification, the device owner will not just receive a randomly generated authentication number, but will receive a far more contextualised message which will, for example, inform the user that “An attempt to log in to your account has been detected in Alaska. Is this you?”
This kind of proactive fraud alert not only helps to notify the victim to the illicit action at the first instance, but a push notification gives the user the power to actually intervene and respond immediately, which can potentially stop an attack from occurring.
Securing the future
It is vital that when migrating to agile, cloud-based development, companies don't leave their customers behind. Instead, businesses should be focused on strengthening their security processes. Time and time again, cyber-breaches have exposed the flaws of password-based authentication. So instead of telling users to strengthen security themselves with more complicated and difficult to remember password combinations, organisations should be empowering consumers with an easy to use, but more secure alternative.
Two-factor authentication should be implemented as a bare minimum, and moving forwards, organisations should deploy push notification technology to better protect their customers' and employees' personal and private data. Because of the potential flaws that can be exposed with just password-based authentication, companies should be looking to add levels of security and versatility wherever possible and feasible. Push notification is not only possible, but it is tried, tested and reliable.
Contributed by Marc Boroditsky, VP & general manager of authentication, Twilio
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.