Over the years, passwords have become less and less reliable when it comes to protecting critical company data. It’s increasingly difficult to manage, memorize and keep passwords safe. Bad actors have numerous ways to crack, steal, reset or bypass them.
The number is staggering: 2,600,000,000 online accounts were breached in 2016.
In August 2016, for example, file sharing and hosting provider Dropbox revealed that in 2012 hackers had breached its network and stolen 68 million Dropbox credentials, including user email addresses and passwords.
And that’s bad news for chief information security officers and other C-level executives tasked with ensuring the security of their sensitive data and corporate networks, as well as meeting federal, state or internal compliance or regulatory requirements.
But the risks don’t just come from cybercriminals outside an enterprise. One of the biggest threats to an organization’s data and network security often comes from the very people entrusted with protecting it – its employees. Sometimes unwittingly.
For example, the hackers who breached Dropbox systems used an employee’s stolen password to get into its corporate network and steal user credentials.
Factors for Success without Passwords
Since the majority of data breaches are attributed to weak, stolen or compromised passwords, rather than just strengthening passwords, maybe it’s high time to bury the password as a primary authentication method altogether.
One alternative is two-factor authentication (2FA), which adds an additional layer of authentication to an account login. Entering a username/password combination is considered single-factor authentication.
With 2FA, a user is asked to verify his identity with something only he owns such as a mobile phone. One such two-factor authentication system uses one-time passwords (OTPs) that are sent to users’ phones via short message service (SMS), then entered into the phone to complete the account login. But recent attempts to hijack and redirect SMS messages with malware have dampened confidence in the approach.
As more people conduct business via their mobile devices, businesses will need to take access control a step further by moving to multifactor authentication (MFA) that add even more layers to the user verification process. This can be something unique to a user’s physical being such as a face, retina or fingerprint. Biometrics is gaining traction as the enabling technology.
Biometrics is a Game Changer
Today, organizations of all sizes worry about getting breached or having company intellectual property stolen through internal or external inappropriate account access.
They’re also concerned about meeting federal, state and internal compliance and regulatory requirements, i.e., addressing Payment Card Industry Data Security Standard that requires any organization that accepts credit cards or stores/processes such data to have secure access policies in place.
Because of the headaches that come with remembering and managing countless passwords and growing security risks, many enterprises are turning to biometrics to keep their confidential data and networks secure.
Biometrics offer password-free authentication by making use of a person’s unique physical or behavioral characteristics such as typing rhythm to recognize, authenticate and verify an individual’s identity. Biometric authentication systems capture the biometric data then compare it to confirmed authentic data stored in a database. If the samples match, the system confirms the user’s identity.
Biometrics offers the maximum amount of security with the least impact on the user experience, making it as easy as possible for individuals to authenticate their devices securely without the frustration and complexity of passwords.
Contact Crossmatch to learn how we can help your company optimize security by replacing risky, password-driven authentication practices with next-generation MFA and biometric solutions.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.