A number of online businesses have recently seen their IT security breached, opening access to customer data.
Yiannis Chrysanthou, security researcher in audit firm KPMG’s cyber security team, suggests that instead of businesses blaming consumers for using weak passwords, they need to introduce multi-factor authentication.
He said: ““To prevent password breaches, users are often asked to stop reusing the same password combination across several access points, and businesses are advised to ensure that they have cryptographic hash functions specifically designed for password storage. But this method hasn’t been affective. Organisations seem to believe that if they force users to pick long complex passwords and then store them only in their cryptographically hashed formats, they are relatively safe. The reality is that we hear of password breaches time and time and again, and this needs to change!
“What often happens is that a website or organisation suffers a breach and the attackers publicise the database with usernames, emails and passwords online. The passwords are either in plain text or hashed using cryptographic hash algorithms that are often cracked within a few days.
“The alternative is to use multifactor authentication as it improves security by combining multiple forms of identification data. Passwords on their own are just one authentication factor because they rely on ‘something the user knows’. By adding an additional factor such as a smartcard (something a user has) or a fingerprint (something the user is), credential theft and impersonation becomes harder. Multi-factor authentication will block traditional attacks relying on guessing or stealing a user’s password because the password itself will no longer be sufficient. Of course this extra security comes with increased investment but the improved customer protection makes it viable and valuable.”
Phil Turner, VP EMEA at Okta
He said: “These data breaches highlight just how vulnerable all online information is. We always think about protecting our bank accounts and professional documents online, yet we forget about the importance of protecting our personal pictures.
“It’s clear that we’ve reached a point where usernames and passwords alone are no longer good enough. People reuse passwords across multiple sites and applications because they’re difficult to manage. All it takes is one hacker getting their hands on these credentials and multiple companies could find themselves affected.
“Rather than relying solely on passwords to authenticate users, it’s vital that all organisations are enforcing multi-factor authentication – which requires two or more factors to verify the legitimacy of the user. This could be via additional verification methods such as mobile applications or SMS messages which can provide a unique security code and don’t require users to store or remember further credentials. This helps to ensure users are who they say they are and reduces the risk of unauthorised access, should password details be compromised.”
