'Lazy' passwords must give way to flexible biometrics
With more than 3 billion credentials reported stolen worldwide in 2016, and 51 companies admitting a breach, we are clearly all in need of a resolution to fix the password problem.
Lazy passwords have failed us, and it’s time we work harder to overcome this roadblock along the path to a secure online experience. Attacks on retailers and large service providers like LinkedIn are avoidable. What’s needed to get us in shape are solutions that achieve two objectives.
First, service providers must replace the archaic centralized username and password login scheme with decentralized biometric authentication. Enterprises that store sensitive user data, be they secrets like passwords or biometric templates, are targets for hackers who know that a successful breach through phishing or credential stuffing yields a treasure trove of sellable data.
We must abandon the concept that enterprises should centralize the storage of passwords and PII. This shift will disrupt career hackers’ business model of hitting one target to obtain a payload as large as and marketable as bulk user data. Going from device to device in the hopes of possibly stealing a person’s credentials will send a message to hackers that this practice is neither scalable nor efficient.
Forget what you know about biometrics as they’re implemented in the public and legacy commercial spheres, where an entity holds a biometrics database and each time the user authenticates hers or his biometric is matched. The sophistication of today’s mobile devices enables encrypted biometrics to be verified against themselves and safely stored on-device. Users after all are the appropriate carriers of their biometrics if, as it should be, privacy is a consideration.
Second, let’s break a stubborn rule that says added security reduces usability, and vice versa. Today’s mobile devices make possible a fully biometric experience, one that is multimodal so that touch, face, voice, eye, palm, and behavioral recognition offer choice and their combinations, even higher levels of assurance. The ubiquity of online shopping and the rise of mobile—that latter of which conflicts with directives to use 40-character strong passwords—makes clear that we should marry security and usability.
Decentralization and committing to offer the best experience are two 2017 goals that are attainable. 2017 can be the year of breaking old habits like the use of passwords, but only if we as providers, enterprises, and consumers align our willingness to put the worst of yesterday behind us.