The welcome news that Facebook and Twitter have integrated physical security keys on Android and iOS helps bring us closer to an age of stronger widespread authentication. The more people start to benefit from enhanced cyber security protection on some of their most used accounts, the more they will question why other services they use still rely solely on passwords. This move by the social media giants is part of growing momentum towards strong authentication practices, with open security standards leading the way.
The problem with passwords
Passwords are still the most common form of user authentication, “protecting” accounts, devices and systems, but alone, they don’t provide strong security. Not only that, they don’t offer the best user experience.
Many passwords don’t even meet the minimum criteria of being unique and complex. People reuse passwords across accounts because they simply can’t keep track of all the logins they have. They choose passwords that are easy to remember to ease the burden, but that makes them easy to guess too. In fact, our research shows that people reuse their passwords across an average of ten personal accounts, while ‘123456’ still topped the list for the most common password in 2020.
Even when they have chosen well, their unique and complex password can still fall victim to a modern phishing attack. After all, even an exemplary password can’t protect an account if the holder has been tricked into providing the information.
From a user experience perspective, you have the stress and strain of choosing a unique, complex password each time that also meets the criteria demanded by the platform or service provider. Then, you have the inconvenience and delay of having to reset the password (and choose all over again) when it’s forgotten.
That ‘inconvenience’ comes, of course, with a price tag for companies. They must implement password reset processes, train helpdesk staff and incur the heavy cost of fielding calls when customers have problems.
World Password Day: What is there to consider about password protection?
Where next for logins?
Modern cyber security strategies must ensure a password is not the last line of defence against phishing or other malicious attempts to compromise private information.
This is where multi-factor authentication (MFA) comes in. It requires more than just a username/password combination to grant access to a protected account, device or system. MFA combines standard login credentials with something the user has (such as a mobile phone or security key), something they are, in the form of a unique attribute (such as a fingerprint), or something they know (such as a PIN or memorable word).
Memorable words and one-time passwords (OTPs), often sent by text to a registered mobile phone, are common ways of meeting the need for additional security in authentication processes. They are a step ahead of just a password, but they aren’t completely resistant to security threats. Mobile-based one-time codes can be vulnerable to SIM-swap and modern phishing and man-in-the-middle (MitM) attacks. The latter occurs when a user believes they are communicating with a legitimate organisation while their information is being intercepted and relayed by a malicious third party. Routes in for the cyber criminal can include unprotected Wi-Fi and manipulated URLs.
From a usability standpoint, memorable words have similar drawbacks to those seen with passwords. Meanwhile, OTPs create friction in the process and may bring it to a halt altogether if the battery in the customer’s mobile phone needs charging, they’re in a mobile-restricted location or are simply without a signal.
How much do behavioural biometrics improve cyber security?
Raising the standards
Big tech firms like Facebook and Twitter are recognising that the integration of physical security keys enhance their cyber strategies. Google, for example, already uses security keys to protect over 85,000 of its staff which has led to zero confirmed account takeovers. A security key is something a user has, so even if a password has been compromised, without the key the cyber attacker won’t be able to gain access to a targeted account.
Physical security keys reduce friction and complexity in the login process. By meeting WebAuthn and FIDO2 global authentication standards, they can further the cause of MFA through accessible integration. Such an open standards ecosystem helps achieve the dual aims of security and usability for authentication with strong protection across devices, apps and services, without the need for proprietary software.
Through global standards and the integration of strong authentication into browsers and popular online platforms, there is positive momentum away from password-only user verification. Cyber security strategies must mitigate the risk of password hacking and data breaches and that can only be achieved through strong authentication. A wider understanding and acceptance of stronger authentication means we all move a step closer to a higher level of cyber security and improved online protection for consumers and businesses.