Industry talking to customers What's this? Online Fraud: Why Passwords Aren’t Enough Published: September 27th, 2016 By: IT World Canada Staff It’s time to plan for the demise of the password. According to Forrester Research, the use of passwords to access online accounts will start to “die off” by 2019, and businesses need to be prepared for alternative approaches.“Consumers have to remember too many passwords, and businesses invest significant resources in managing them,” says Shri Kalyanasundaram, Senior Strategy Manager of Digital Identity and Emerging Products at TELUS.A recent U.S. survey by Intel security showed that, with accounts for email, social media, banking, utilities and online shopping, the average person has 27 discrete online logins. Yet, passwords alone are one of the worst ways to secure information.The Password Problem On a global basis, there were over one million web attacks against people in 2015, states Symantec’s annual Security Threat Report. The majority of breaches relate to identity issues. Verizon reports that two out of three security incidents occur as a result of lost, weak or stolen credentials.There are two key reasons why passwords are a poor way to secure account access. The first is human behaviour. Since most people have trouble keeping track of many lengthy and complex passwords, they tend to use the same one for a number of sites. According to Forrester Research, “reusing passwords verbatim or with minimal changes can start a domino effect of hacked sites and leaked user details.” People also tend to reveal information on social media, like their pet’s name, which makes it easy to guess their passwords, or the personal identification questions used in the “forgot password” process. Phishing scams are yet another ploy used by hackers to get access to their victims’ online accounts.Secondly, increased computer processing power is making it easier to crack passwords. Forrester predicts that by 2019, it will be possible to break even the most complex passwords, making everyone vulnerable to devastating breaches.In addition to the security concerns, businesses require additional resources for the administration of passwords. A recent survey by HDI shows that up to 30 per cent of call centre tickets are related to password resets. It also affects the customer experience. It can be time consuming to retrieve passwords, or to re-register for sites, with the result that some people simply abandon the account. “Businesses need to be able to provide more secure and convenient ways for consumers to access online services,” says Kalyanasundaram.The Identity SolutionMany security experts, including, suggest that the password problem can be eliminated and replaced with a mobile-based authentication solution, that allows for two-factor authentication. The password offers a single factor of authentication (i.e. “something you know”). However, basing authentication around a mobile device (i.e. “something you have”) and combining it with either a PIN (i.e. “something you know”) or a biometric (i.e. “something you are”) offers two-factor authentication.The idea makes sense given the rapid growth in the use of smart phones. A 2015 market survey by Catalyst shows that close to 70 per cent of Canadians have mobile phones and this number is growing by 24 per cent each year.Solutions using two-factor authentication can be provided to businesses as a service, so that they can provide easy and secure online access to their customers. As an example, TELUS will soon be launching a service called Mobile Connect. “It allow consumers the ability to use a privacy-forward single digital identity to log-in to multiple online services, from online banking to government services.,” says Kalyanasundaram. “It also helps organizations to allow access to a trusted online environment in a cost-effective way.”This article is one in a series sponsored by TELUS to provide advice and expertise on digital identity management for organizations. For more information, please email DigitalIdentity@telus.com.