We all know how much of a bad idea writing down complex passwords is. Yet people do it all the time. I recently spoke with Dr. Mansur Hasib, one of world’s leading authorities in cybersecurity and speaker at the SC Congress 2015 in Toronto, about security and the role passwords play. Dr. Hasib’s take on the issue was simply “can we not do away with passwords altogether? People have already suffered too much and now it is one of the most insecure ways to authenticate.” He explained following problems with passwords:
- Once a criminal has access to a password they can change your password and lock you out of your own account and hold the data hostage for a ransom
- People habitually write down passwords in conspicuous places
- They forget passwords all the time and have to go reset passwords
- Sophisticated password crackers can crack passwords easily
- Key stroke loggers or other spyware can be used to learn passwords
- Criminals can capture passwords by capturing all keystrokes
- People stay locked out of accounts and cannot get their job done
- Stealing passwords is the main objective behind typical phishing or other social engineering attacks
Dr. Hasib explained that innovative vendors such as Enterprise Sentinel are redefining the authentication space and modernizing multi-factor authentication making it almost impossible for criminals to gain access to a system. Assuming that the user has a smart phone, this company has a product called DynaMatrics 2FA which works in the following simple manner:
- The user installs an app on their smart phone and performs a self-enrolment process during which they establish a pattern known only to the user and not written down or stored anywhere else
- When they wish to authenticate to the system, the system sends the app on their phone a randomized reference table
- The user then looks at specific cells in the table known only user knows to learn what their one-time passcode is for this authentication session
- The user enters this into the web application and gets in securely
Dr. Hasib contends, “The strength of this type of solution is that there is no password to remember, forget, or reset. All those support and development costs vanish. And even if someone has logged the keystrokes they cannot use the password ever again.” The solution also solves the problem of users innocently visiting infected sites only to have spyware installed on their machines – without ever clicking on anything. “Members of the public must insist on doing business with companies that use a stronger authentication mechanism that userids and passwords. Banks and financial institutions are a ripe market for this type of higher security authentication.” said Dr. Hasib.