Are you lying awake at night worrying that your online passwords have been stolen?
You might as well sleep. They're long gone.
A case in point is the recent disclosure by Marriott of a four-year-long breach involving the personal and financial information of 500 million guests of its hotel properties. It’s second in severity only to the hack of three billion Yahoo! Accounts in 2017. In short, somebody’s already got your password. Even when stolen passwords are encrypted, it’s usually just a matter of time before the thieves break the encryption.
The Marriott data now at large comprises names and addresses, telephone numbers, e-mail addresses, passport numbers, loyalty program identifiers, date of birth, sex, stay data, communication preferences and, in some cases, credit cards with their expiration date.
On the bright side, some of the most forward-thinking companies are working hard to remediate the intrusions when they do occur. They’re constantly scanning their own networks and employees for weaknesses, and regularly testing their breach response preparedness, much like a fire drill. They’re finding creative ways to cut down on the volume of sensitive data that they need to store and protect.
Let’s look at a few approaches that have emerged, then let’s consider something even better: the opportunity to get rid of passwords completely. As Josh Shaul at Akamai has said, using secret passwords means we really haven’t advanced the technology since a Roman sentry shouted “Who goes there?” and “What’s the passcode?” some 2,000 years ago.
One thing you can do is to start living by some common-sense password procedures.
Changing them often is a good idea, but keep in mind that the common practice of letter/number substitutions is trivial for a hacker’s computer to figure out. Plus, it makes the password hard to remember.
This ends up being counter-productive as people are reluctant to change a password once they have memorized a difficult password. Compounding the problem is that a common entry point for a villain to steal your password is during the password reset process.
Human nature being what it is, once people have a clever password, they often use it across multiple sites. This is also a huge aperture for hackers. One of the most common attacks is trying a known password against other accounts owned by that individual.
When you reuse passwords across security domains, websites, or various services, you increase your risk exponentially.
Bad as that is, the other major source of passwords are phishing attacks. With phishing, passwords are obtained through online conversations and coaxing. In these scenarios, long and complex passwords offer little protection. Yes, some attackers and malware still try to guess passwords, but they're now in the minority.
Given that this is the current state of affairs, use of a good password manager provides a step in the right direction. It at least allows the use of a randomly-generated, unique password, without the need for memorization. We generally favor password managers that don’t store your data in a cloud service, even encrypted. That’s too valuable a target to keep in a public cloud.
One solution that has emerged is to use multi-factor authentication challenges whenever possible. Risk-based, multi-factor authentication challenges take password protection to the next level by checking to see if the person logging in has access to something only they should have. It makes sense that higher-risk scenarios should require greater authentication assurance.
A good example is if you log into your email account from your home computer, it may be OK to check for a cookie or “device fingerprint” saying this device is trusted; the email service has seen you use it before in this location. But if you try to log on to the same email account from a laptop computer while you are traveling, you need stronger measures. Some email providers now provide this level of service. You can use a simple password on your computer at home, but logging onto your account from a new location will require the entry of a PIN texted to your phone.
Again, this is progress. But multi-factor authentication is still not completely resolving a bad situation. For example, what if the phone that receives the PIN is not your phone? Hackers have been known to takeover cellphone accounts and redirect the PINs. When PINs are emailed, any hacker who has compromised your account can easily pretend to be you. Better authentication based on what you should have isn’t enough.
What if, instead of putting lipstick on the password pig, we completely get rid of passwords? Right now.
The logical progression is to embrace multi-factor authorization. Keep clear the distinction – authentication simply proves that you are you, but authorization says that you are allowing the pertinent data or service to be accessed on your behalf.
In a multi-factor authorization ecosystem, nothing can happen without you specifically authorizing it. In short, it ends the current situation where identities are stolen simply by falsely authenticating as a person by, for example, using a stolen password.
Here is how we made that happen – we developed the ability to securely access an app using things that are hard to fake—your face or fingerprint—and has to have your specific phone. We can use that app to generate a smart PIN which specifies exactly what activity you want to authorize. You can limit the access to a website, an account, or an action within an account. For a financial transaction, we can specify the amount, the time, and the location.
Significantly for preventing theft, once that smart PIN has been used to authorize the transaction for which it was generated, it cannot be used again. It is truly a one-time, one-use authorization generated by the end-user.
We call it a Permission Code. The Permission Code resolves issues faced by those on either side of any given transaction. You keep control of the whole process – you authenticate to your own phone (or other device) and generate the Permission Code authorizing an activity right on it. You can be sure that the transaction that you are authorizing will be the only thing that takes place.
The business side of the transaction is freed of many constraints as well. Marriott or Yahoo! or a financial institution has confidence that every given activity is truly authorized. They don't have to risk refusing transactions that they are unsure about.
Most important is the elimination of the requirement for companies to use passwords or other PII to authenticate clients in order to transact business with them, making their theft unimportant. Welcome to a new way to secure your accounts - and to sleep soundly.