Should your company say goodbye to passwords?

Simon Bramble

Sunday 12 March 2017

In the wake of several high-profile security breaches in the past few years, the usefulness of passwords is questioned in the second part of our ‘Securing your business’ series.

The roll call of global companies that have fallen victim to costly, reputation-denting security breaches grows ever longer. The likes of TalkTalk, eBay, Sony and US bank JPMorgan Chase have been attacked by hackers adept at cracking passwords and applying social engineering techniques to obtain personal information.

Even Mark Zuckerberg has been targeted, with his Twitter account being hacked. Yet while the Facebook CEO is diligent in keeping up with his rivals, he proved less so when it came to password best practice. The recent LinkedIn password leak revealed that Zuckerberg used the same log-in details on both social media sites.

And he’s not alone. In small- to medium-sized enterprises (SMEs), four in 10 employees use the same passwords on different business sites, according to a survey by internet security firm AVG. Astonishingly, the same survey found that 67 per cent of respondents said one to two other people had access to their passwords.

Human error the biggest culprit

“Successful security attacks happen when human weakness is exploited to lure a company’s employees to unwittingly provide access to sensitive information,” says AVG security evangelist Tony Anscombe. Many companies use password strength meters to try to safeguard log-in details – although even these are called into question by web consultant Mark Stockley – but if employees are going to inadvertently give them away, they’re pointless.

It’s markedly harder to give away biometric identifiers but that’s why the banking industry in particular is racing ahead with the introduction of password alternatives. Thanks to accurate recognition technology now being common on smartphones from many manufacturers, logging in with a fingerprint is on the rise.

In 2015, RBS and NatWest launched apps that require the tap of a finger to access bank accounts. US banks have done the same, with Wells Fargo, Citigroup and USAA even going so far as asking for eye scans, voice recognition and facial contour profiling, respectively.

Fingerprints can’t be stored like passwords can

Banks are increasingly worried about the ease with which traditional passwords can be obtained, from both their own data stores and customers. And although there are concerns that hackers may catch up with biometric verification, countermeasures are already in place, such as eye-scanning tech that asks users to move their eyes and blink at certain times to make sure a static image of an eye isn’t being used.

But perhaps the most significant weapon in heading off password hackers isn’t fingerprint scanning, better password strength meters or teaching employees to better look after their details. It’s two-factor verification: backing up something that says you’re you, like your PIN or your fingerprint, with something you have, such as your smartphone.

As biometrics security expert Samir Nanavati told The New York Times: “If you have your phone and you are authenticating with your fingerprint, it is very likely you.” So if your company isn’t quite ready to move on from passwords, it might be prudent to introduce a second layer of security, especially on mobile devices.

Next month, in the final part of the ‘Securing your business’ series, ThinkBlog will be recommending the essential steps your company should take to maintain data security.


Building the next-gen data centre

Where traditional and web-scale apps co-exist