Authentication strategies: going beyond passwords

The use of passwords to authenticate access to digital systems and platforms has been the norm for decades, but it is becoming increasingly clear that this practice is no longer enough to ensure the security of online information.

A

s the amount of data stored in the cloud increases and cyber attacks become more complex, there is a growing need for stronger and more advanced authentication strategies. 

 According to a study by password management specialist NordPass, an average user has around 100 different passwords spread across all their services. Many people feel frustrated by the great amount of time wasted on password recovery processes. Often, as soon as they recover their passwords, they forget them again. 

Another study released in January 2021 by LastPass and OnePoll, titled “Password Anxiety,” found that over 60% of users would rather not access a site than have to recover a password, resulting in lost contacts and, consequently, losses for businesses. Online criminal activity is undoubtedly another major cause of economic losses, taking advantage of the vulnerabilities created by poor password hygiene. 

Users’ responsibility for their digital identity 

In general, all reports highlight that gaps in consumer and user responsibility, account for the majority of incidents. 80% of attacks occur due to failures in password management, which aligns with data provided by passwordless authentication solution specialist HYPR, indicating that 72% of internet users use the same password for different services, and over half use the same password, with slight variations, when resetting it. 

Fortunately, there are several alternatives to traditional passwords that can significantly enhance security. These passwordless authentication strategies are based on strengthening identity verification through the use of other factors. 

• Security questions: Used in combination with passwords, personal questions with answers only known to the user provide an additional layer of security. However, this system has certain disadvantages as it relies on personal information, making it vulnerable to social engineering techniques that are established to gather such data. 
• Email or social media: Authentication through an existing email or social media account is a method that can eliminate the need to remember another password, simplify the registration process, and add the security and two-factor authentication measures of that account. 
• Biometric recognition: Without a doubt, one of the great revolutions of our time. Facial recognition, voice recognition, or fingerprint scanning, combined with other security systems, are now common in procedures at banks or insurance companies. These systems are user-friendly and eliminate the need to remember or store passwords. 
• Behavioral authentication: Developers are exploring the boundaries of biometrics with methods that record iris movement, typing cadence, pressure when signing, etc., to achieve the most secure and personalized authentication processes. Extracting specific data from user interactions with devices creates seamless and personalized experiences. 
• Multifactor authentication (MFA): Also known as MFA, this method requires users to provide more than one element to prove their identity. For example, a website may request that users enter a password and then provide a code sent to their mobile phone. This makes it much more challenging for hackers to access accounts, as they would need to decipher multiple and different blocking methods. 
• Passwordless authentication: This method uses other forms of identity verification, such as one-time-use tokens sent to the user.
   

Assessing risks and designing tailor-made identification strategies 

It is important to note that the implementation of these advanced authentication strategies is not a one-size-fits-all solution for all cybersecurity issues. While these techniques can provide a higher level of security, there are still potential vulnerabilities that need to be considered. For example, if biometric data is stored in a fragile system, hackers could use it to access accounts. Additionally, multifactor and passwordless authentication still depend on other factors which also need to be secured, physical access to the device used for authentication for example. 

Companies handling large amounts of personal or financial information may require more advanced authentication strategies than those dealing with less sensitive information. Therefore, it is crucial to assess the level of risk and adapt security techniques accordingly. 

To ensure cybersecurity, a comprehensive approach is crucial, including a variety of security techniques, advanced authentication, as well as extensive education and hygiene practices regarding authentication methods. It is vital for companies to educate their employees and customers about the best cybersecurity practices, such as detecting phishing emails and regularly updating passwords, gradually building a strong culture of digital environment protection.