Yahoo’s been hit by another major data breach – with 1 billion user accounts thought to have been affected. The beleaguered tech multinational has told all affected users that they need to change their passwords not just for their Yahoo accounts but for all other accounts they use online.
But next generation authentication methods could soon be overtaking the conventional password – bringing a new set of opportunities and pitfalls.
Yahoo’s latest breach is a serious embarrassment for the internet portal and email service provider, which is presently looking for a buyer.
For users, it’s a massive hassle and also a potential security concern. But it’s also reminded everyone how vulnerable password-based authentication makes us: especially if we’re bad at managing our passwords.
Users that have the same password across multiple accounts, such as their Yahoo email account and also their Paypal account, could be at particular risk following the hack.
Multiple surveys have found that web users often employ just one password across all their online activities, a practice that puts them at particular risk if any account is hacked.
In 2013 Ofcom found 55% of UK adults used the same password across nearly all their accounts.
Mobile identity company Telesign found that nearly three-quarters of users in the US and the UK recycled their passwords, and often didn’t change them for years at a time. On average, only 6 passwords are used to guard 24 online accounts.
A worrying number of web users also put their trust in very simple passwords. In 2014 the five most popular passwords included things such as ‘password’ and ‘12345’.
It’s also common for people to use their birthday as a password. Weak passwords also put users at risk of security breach.
A new security solution
So we know that users recycle passwords across multiple online accounts, and we also know that even the biggest tech firms can be successfully cyber attacked on multiple occasions.
What then is the solution to overcoming these vulnerabilities? We’ll have to assume that people aren’t going to give up their bad password creation habits anytime soon. Fortunately, new ways of managing security could mean we no longer need to recall a host of passwords.
Increasingly, consumers expect frictionless, immediate access to what they want. Password based authentication may be standing in the way of that.
There’s even evidence that Millennials, the net native generation who are most familiar with password-enable online life, are some of the least safe password creators.
It seems that we’re on the cusp of seeing some slightly more ‘space age’ alternatives to password-based account security coming into mainstream use. There are several possibilities, including biometric identification methods such as fingerprint scanning, voice or facial recognition, or even iris scanning.
Widespread use of social networking sites also means that social login, which uses information from the customer’s existing social media accounts, is now much more widely used for account creation and access.
Firms such as Apple, and some banks, are already using so-called two-factor authentication (also known as ‘multi-factor authentication’).
This requires the user to input not only their username and password but also some other piece of information known only to them.
This could be a code sent to their registered mobile number via SMS or it could involve the use of a bank-issue hardware token, a small device like a calculator or pager which generates a unique code when they want to log in online.
Multifactor authentication involves the user providing information that only they know. This might be knowledge, such as their first pet’s name or their childhood street address (information that hackers might not know), or require them to use an item such as a single-use code generating an electronic token, or use what’s called an inherence factor such as biometric information.
The latter is increasingly feasible because technology has advanced to a stage where a mobile phone can easily scan a fingerprint.
These newer authentication methods bring their own weaknesses and other pitfalls. It’s easy for a small electronic token to be misplaced, and the tech is unfamiliar to some customers.
It’s unlikely that users will tolerate having a separate token for all their devices – it goes against the idea of constant accessibility to an online account if you need to carry secondary items with you to gain access.
Widespread mobile phone ownership can be leveraged to act as authentication devices; it’s rare for customers to ever be far from theirs.
But if the phone is lost there’s an additional barrier to account retrieval, making it potentially far more complex procedure than the current method of getting a password reminder sent out.
A more personalised method of account access
These new authentication methods also offer advantages compared to older methods, and that’s for both the account holder and the business itself.
Encouraging users to opt for social login gives your business access to more information – potentially as many as 200 data points. Perhaps more importantly, you can be much more confident in whatever data you hold.
Users frequently admit to falsifying data when they fill out online registration forms.
Using social login means that you are far more likely to receive genuine user data. Of course, users are also aware of this and they may be reluctant to sign up if they feel obliged to give you access to all their social data to do so.
Insisting on social login can deter people from creating an account with you unless you offer trust and reassurance that you won’t abuse their data. It’s something your brand will need to take a decision on, balancing the pros and cons.
One other advantage of using the more recent authentication methods, including social login, is that it’s more personalised to the user and potentially easier.
Rather than users having to fill out all their registration details, social login means they can just share it across from other accounts.
Use of biometric data is thought to be accepted by users as more secure than traditional password login, meaning they may feel more confident too.
If your business is still reliant on password-based authentication, it may be time for a review.
New authentication methods bring new challenges and pitfalls but they may become increasingly widespread. With major brands such as Yahoo struggling in the face of cybercrime, it’s important to stay on top of your security. Adapting to the changing face of authentication is one way to do that.