Passwords have become real problems for system users and security experts. Recent studies demonstrate that the majority of system intrusions are due to password compromises as most users apply poor password management practices.
Many of us have a multitude of accounts that we access with a single password because we are tired of forgetting or resetting passwords and to make things even worse, we sometimes let the system save the passwords for us which adds to our security problems because anyone with access to the computer can access our accounts and that includes our house cleaners and other visitors. Plus, many of us choose either simple passwords or write the passwords down to remember them later. When we use the same password to access multiple accounts, we expand our risk because if our passwords are stolen, hackers can access more of our accounts with just one password.
Consider the following top passwords used in 2017:
Also consider the following password use patterns:
As you see, passwords can cause problems if they are not handled properly and we need to consider other solutions. In fact, Verizon’s security report stated that the number of data breaches involving stolen or weak passwords has gone from 50% to 81% during the past three years. This alarming trend clearly illustrates that today’s security isn’t working.
Before we move forward, let’s recap the three common factors used for authentication:
- Something we know (such as a password)
- Something we have (such as a smart card)
- Something we are (such as a fingerprint or other biometric method)
To solve the password security problem, the industry is introducing new solutions such as biometric authentication and multi-factor authentication. With multi-factor or dual-factor authentication, the problem remains the same if one of the factors happens to be, you guessed it right, a password. It is often said that the weakest link in an organization’s security is its people. Here, I’m saying that the weakest link in the multi-factor authentication process is the password if it happens to be one of the authentication factors.
Biometric Authentication Statistics
According to a new report published by Spiceworks, nearly 90 percent of businesses will use some type of biometric technology for authentication by the year 2020. In fact, some 62 percent of companies already use biometrics in some form, with another 24 percent stating their intention to do so within the next two years.
Here is the breakdown:
- 57 percent of companies using biometric authentication use fingerprint scanners
- 14 percent use facial recognition
- Five percent make use of hand geometry recognition
- Three percent use iris scanners
- Two percent use voice recognition
- Two percent use palm-vein recognition
The good news with biometric authentication is that system users don’t have to remember or write down any password or secret information. In fact, users can access any system seamlessly by presenting the required biometrics which are unique and measurable physical characteristics such as their face, hand, or fingerprint. The question I want to raise here is: why is it that the portability of biometric authentication is natural and accepted while the portability of password used to access multiple accounts is not? Because we now know that passwords cause most security problems while biometric authentication is new and untested.
The issue I want to point out is that the portability of biometric authentication may present more problems that passwords because if our physical characteristic data is stolen to recreate the authentication object whether it’s our face or hand, then all of our accounts with biometric access control are at risk. You might argue that a single password which we use to access multiple accounts can also be stolen to access our accounts however while a stolen password can be reset, a physical feature can not unless the security industry can guarantee that our biometric data can never be stolen or used to recreate the authentication object. From a security limitation standpoint, someone can always put a gun to our head to access our account with our fingerprint but the same gun can also be used to force us to enter a password or PIN which is something the industry can not do anything about.
Other authentication models that the security industry is contemplating and using include knowledge-based and adaptive authentication. There is no doubt that the death of password as a single factor authentication is near but my hope is that adaptive or other authentication methods do not include passwords while new solutions such as biometric authentication improve the security landscape and do not make it worse.